Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0179 moodle blind SSRF & multiple cross-site scripting vulnerabilities 22 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: moodle Publisher: moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Existing Account Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-3810 CVE-2019-3809 CVE-2019-3808 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=381228 https://moodle.org/mod/forum/discuss.php?d=381230 https://moodle.org/mod/forum/discuss.php?d=381229 Comment: This bulletin contains three (3) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security announcements MSA-19-0001: Manage groups capability is missing XSS risk flag Monday, 21 January 2019, 12:14 PM The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default. Severity : Minor Affected : 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions Fixed : 3.6.2, 3.5.4, 3.4.7 and 3.1.16 Reporter : Fariskhi Vidyan CVE : CVE-2019-3808 Workaround : Patch/Upgrade Changes : http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M DL-64395 Tracker : MDL-64395 Manage groups capability is missing XSS risk flag - -------------------------------------------------------------------------------- Security announcements MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php Monday, 21 January 2019, 12:16 PM The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page. Severity : Minor Affected : 3.1 to 3.1.15 and earlier unsupported versions Fixed : 3.1.16 Reporter : Alejandro Parodi CVE : CVE-2019-3809 Workaround : Ensure your firewall rules effectively protect other internal hosts and ports from unauthorised access. Changes : http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M DL-64222 Tracker : MDL-64222 Blind SSRF risk in /badges/mybackpack.php - -------------------------------------------------------------------------------- Security announcements MSA-19-0003: User full name is not escaped in the un-linked userpix page Monday, 21 January 2019, 12:17 PM The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted. Severity : Minor Affected : 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions Fixed : 3.6.2, 3.5.4, 3.4.7 and 3.1.16 Reporter : Fariskhi Vidyan CVE : CVE-2019-3810 Workaround : Patch/Upgrade Changes : http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M DL-64372 Tracker : MDL-64372 User full name is not escaped in the un-linked userpix page - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXEais2aOgq3Tt24GAQhUxQ/8CbOkUIqO+7ewhizpjwZ1iZto3x0tdZz9 xRHGJ8npW/HivzSXTIJUv2bTXHoNimT3q8KepVsneMr7SbK9t5OMnBLuexXwEmaX K0HaRgfg07MVeLOhuE5UX/x9T4LW4EJZcLnxIT246Wt1FJykSydqidbYxQxelYTK xn7aSDFVbVo3R1hairUCJoICrD465qO65PLsL4LoM6zmOSSkr442NiaheMkQ7+M6 9MVDlWhBWxOlS8xSTGBbRsl2mC23q94APa2q4m6x8c4gQhovePr4++KhcTBCmL3c xd7ZRIlWTL+RdxIdmmiQ1M79S21MtmIMZFUSMhKWjlCm96EXBPTOCkGAaSfC5YcR wF3mFY6IyjSZ38NNtQvTA5LQmQV2A1y7TtIghgB5qe1bVlvvcxKGJpp1SlkjJdxP plxJ608zsOkwTF4oIazHz2j2ozUyI5qcKuCw6rMB8uPJc0YgS97m4gYtbbxXXe+d 2Njgw/Wo2Haab9WvbEfZCRr4Ue4/Cac1mWz8TQu3RZHQCeh2db4uz9ue4z7v9MEi n2T2D7xj/u12T0/ckckkpAnxObz8de1jwysxb/mMZEBJ8cRQbBpjNIp7+m808RPF ZdyRTRbsWFHzrwaVx3mIj6GiP97YCRFpGVlpsvz9bl8P8OqbqaSI15uloQOFA0Ql L5JVJHUOBf8= =ImHW -----END PGP SIGNATURE-----