-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2464
                          Moodle security updates
                               21 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Moodle
Publisher:         Moodle
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Increased Privileges -- Existing Account            
                   Cross-site Scripting -- Remote with User Interaction
                   Denial of Service    -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14322 CVE-2020-14321 CVE-2020-14320
                   CVE-2019-11358  

Reference:         ESB-2019.1360

Original Bulletin: 
   https://moodle.org/mod/forum/discuss.php?d=407391&parent=1644266
   https://moodle.org/mod/forum/discuss.php?d=407391&parent=1644267
   https://moodle.org/mod/forum/discuss.php?d=407391&parent=1644268
   https://moodle.org/mod/forum/discuss.php?d=407391&parent=1644269

Comment: This bulletin contains four (4) Moodle security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

MSA-20-0007: Vulnerable JavaScript libraries: jQuery 1.9.1 (upstream)

The JQuery version used by the H5P library contained a prototype pollution
risk, which has now been updated to a patched version.

Severity/Risk:     Minor
Versions affected: 3.8 to 3.8.3
Versions fixed:    3.8.4 and 3.9
Reported by:       weblendweb
CVE identifier:    CVE-2019-11358
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68704
Tracker issue:     MDL-68704 Vulnerable JavaScript libraries: jQuery 1.9.1
                  (upstream)

- --------------------------------------------------------------------------------

MSA-20-0008: Reflected XSS in admin task logs filter

The filter in the admin task log required extra sanitizing to prevent a
reflected XSS risk.

Severity/Risk:     Serious
Versions affected: 3.9, 3.8 to 3.8.3 and 3.7 to 3.7.6
Versions fixed:    3.9.1, 3.8.4 and 3.7.7
Reported by:       Spyridon Chatzimichail
CVE identifier:    CVE-2020-14320
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69128
Tracker issue:     MDL-69128 Reflected XSS in admin task logs filter

- --------------------------------------------------------------------------------

MSA-20-0009: Course enrolments allowed privilege escalation from teacher role
into manager role

Teachers of a course were able to assign themselves the manager role within
that course.

Severity/Risk:     Serious
Versions affected: 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier
                  unsupported versions
Versions fixed:    3.9.1, 3.8.4, 3.7.7 and 3.5.13
Reported by:       Kien Hoang
CVE identifier:    CVE-2020-14321
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69093
Tracker issue:     MDL-69093 Course enrolments allowed privilege escalation from
                  teacher role into manager role

- --------------------------------------------------------------------------------

MSA-20-0010: yui_combo should mitigate denial of service risk

yui_combo needed to limit the amount of files it can load to help mitigate the
risk of denial of service.

Severity/Risk:     Serious
Versions affected: 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier
                  unsupported versions
Versions fixed:    3.9.1, 3.8.4, 3.7.7 and 3.5.13
Reported by:       Yuri Zwaig
CVE identifier:    CVE-2020-14322
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68426
Tracker issue:     MDL-68426 yui_combo should mitigate denial of service risk

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXxY+WuNLKJtyKPYoAQhbTg/8DbXJUBw598bSrM6uERioCPEyoBPnR/y0
f7y+DaMTVK7kOW4kXyXYo6EpPgifcprmFe13TCawHenWQHfMwSR10/FyjJb2tgrs
bBOXM4AbPKTakYEbS8sOoTklRRwth4lxL7hfKO1bzzN7PUu/0rG0mqkPAB8tyATn
5z/of2P/4BCVQ2kQ+26bOsN/OyscVB0nvBLWjE3HTBmZi95UQBuevEbHcSiIy7iL
TuZ46NVjVcL312ItARUTY8wJg58o26O1XHPpEKvRfYc2vXPiAMTUIuypw0SwnHzd
Nxqm4kSBXlQgi4muBCIci6OJhOR/xpAm6zf3N4ZnTXo4++bKSgcZ4CGJqjc4Bsjq
QwxhQPRCuCUhjldpU1BEXcuSRGFF03EQiDq+LPfbX5K0OtjyKwhiCJ2TIG+cZVGK
3kUZG88SI4yc4YIM7nQ6FwJIlGGS0jro+4teLkNo2bcI3PTtSLct7fj5ljXggpzM
o1IY4wKHAH9djGUY0Ksma2CNGGi1MElQSYzOdb8vovCIrglC/grtXwnX65F5PfOx
DvLDhsrl5G1anR2hGyGQdpz1pTTMGS3HN+MkfpON/1YMIUoGS4Pj18iG81dr6bPJ
8uMX04hc2fTb6fMkPmJc1jxKTlWkWMAojA7oiffapAU8axeVLdiE3cObA2yfizI4
uS3AKHfGzx8=
=um4i
-----END PGP SIGNATURE-----