Operating System:

[WIN][UNIX/Linux]

Published:

22 January 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.0179 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0179
     moodle blind SSRF & multiple cross-site scripting vulnerabilities
                              22 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           moodle
Publisher:         moodle
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting           -- Existing Account      
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-3810 CVE-2019-3809 CVE-2019-3808

Original Bulletin: 
   https://moodle.org/mod/forum/discuss.php?d=381228
   https://moodle.org/mod/forum/discuss.php?d=381230
   https://moodle.org/mod/forum/discuss.php?d=381229

Comment: This bulletin contains three (3) advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security announcements

MSA-19-0001: Manage groups capability is missing XSS risk flag
Monday, 21 January 2019, 12:14 PM
 
The 'manage groups' capability did not have the 'XSS risk' flag assigned to it,
but does have that access in certain places. Note that the capability is
intended for use by trusted users, and is only assigned to teachers and
managers by default.

Severity   : Minor
Affected   : 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and 
             earlier unsupported versions
Fixed      : 3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reporter   : Fariskhi Vidyan
CVE        : CVE-2019-3808
Workaround : Patch/Upgrade
Changes    : http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M
             DL-64395
Tracker    : MDL-64395 Manage groups capability is missing XSS risk flag

- --------------------------------------------------------------------------------

Security announcements

MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php
Monday, 21 January 2019, 12:16 PM
 
The mybackpack functionality allowed setting the URL of badges, when it should
be restricted to the Mozilla Open Badges backpack URL. This resulted in the
possibility of blind SSRF via requests made by the page.

Severity   : Minor
Affected   : 3.1 to 3.1.15 and earlier unsupported versions
Fixed      : 3.1.16
Reporter   : Alejandro Parodi
CVE        : CVE-2019-3809
Workaround : Ensure your firewall rules effectively protect other internal 
             hosts and ports from unauthorised access.
Changes    : http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M
             DL-64222
Tracker    : MDL-64222 Blind SSRF risk in /badges/mybackpack.php

- --------------------------------------------------------------------------------

Security announcements

MSA-19-0003: User full name is not escaped in the un-linked userpix page
Monday, 21 January 2019, 12:17 PM
 
The /userpix/ page did not escape users' full names, which are included as text
when hovering over profile images. Note this page is not linked to by default
and its access is restricted.

Severity   : Minor
Affected   : 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and 
             earlier unsupported versions
Fixed      : 3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reporter   : Fariskhi Vidyan
CVE        : CVE-2019-3810
Workaround : Patch/Upgrade
Changes    : http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M
             DL-64372
Tracker    : MDL-64372 User full name is not escaped in the un-linked userpix 
             page

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXEais2aOgq3Tt24GAQhUxQ/8CbOkUIqO+7ewhizpjwZ1iZto3x0tdZz9
xRHGJ8npW/HivzSXTIJUv2bTXHoNimT3q8KepVsneMr7SbK9t5OMnBLuexXwEmaX
K0HaRgfg07MVeLOhuE5UX/x9T4LW4EJZcLnxIT246Wt1FJykSydqidbYxQxelYTK
xn7aSDFVbVo3R1hairUCJoICrD465qO65PLsL4LoM6zmOSSkr442NiaheMkQ7+M6
9MVDlWhBWxOlS8xSTGBbRsl2mC23q94APa2q4m6x8c4gQhovePr4++KhcTBCmL3c
xd7ZRIlWTL+RdxIdmmiQ1M79S21MtmIMZFUSMhKWjlCm96EXBPTOCkGAaSfC5YcR
wF3mFY6IyjSZ38NNtQvTA5LQmQV2A1y7TtIghgB5qe1bVlvvcxKGJpp1SlkjJdxP
plxJ608zsOkwTF4oIazHz2j2ozUyI5qcKuCw6rMB8uPJc0YgS97m4gYtbbxXXe+d
2Njgw/Wo2Haab9WvbEfZCRr4Ue4/Cac1mWz8TQu3RZHQCeh2db4uz9ue4z7v9MEi
n2T2D7xj/u12T0/ckckkpAnxObz8de1jwysxb/mMZEBJ8cRQbBpjNIp7+m808RPF
ZdyRTRbsWFHzrwaVx3mIj6GiP97YCRFpGVlpsvz9bl8P8OqbqaSI15uloQOFA0Ql
L5JVJHUOBf8=
=ImHW
-----END PGP SIGNATURE-----