by Michael Hawkins. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.Severity/Risk:SeriousVersions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versionsVersions fixed:3.6.3, 3.5.5 and 3.4.8Reported by:Brendan CoxCVE identifier:CVE-2019-3849Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702Tracker issue:MDL-62702
More info:
https://moodle.org/mod/forum/discuss.php?d=384012&parent=1547744
http://feedproxy.google.com/~r/sucuri/blog/~3/iRdP40nk08I/uncommon-radixes-used-in-malware-obfuscation.html Some JavaScript features allow for pretty interesting obfuscation techniques. For example, did you know that virtually any English word can be used as a valid number? I recently decoded a credit card stealing script injected at the bottom of a js/varien/js.js file: There were several layers of obfuscation. During the final stage of decoding, […]
More info:
http://feedproxy.google.com/~r/sucuri/blog/~3/iRdP40nk08I/uncommon-radixes-used-in-malware-obfuscation.html
by Michael Hawkins. Users with the "login as other users" capability (such as administrators/managers) can access other users Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.Please note that for versions 3.1 and 3.4 only, this fix removes access to other users Dashboards while using the login-as functionality. Versions 3.5 and 3.6 have additional sanitizing implemented,
More info:
https://moodle.org/mod/forum/discuss.php?d=384010&parent=1547742
https://wpvulndb.com/vulnerabilities/9233
More info:
https://wpvulndb.com/vulnerabilities/9233
http://feedproxy.google.com/~r/sucuri/blog/~3/dJRlgHKTUzY/arbitrary-directory-deletion-in-wp-fastest-cache.html The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to seclists.org: “A successful attack allows an unauthenticated attacker to specify a path to a directory from which files and directories will be deleted recursively. The vulnerable code path
More info:
http://feedproxy.google.com/~r/sucuri/blog/~3/dJRlgHKTUzY/arbitrary-directory-deletion-in-wp-fastest-cache.html
OpenSSL vulnerability CVE-2019-1559 Security Advisory Security Advisory Description If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_ ...
More info:
https://support.f5.com/csp/article/K18549143
by Michael Hawkins. Permissions were not correctly checked before loading event information into the calendars edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)Severity/Risk:SeriousVersions affected:3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7Versions fixed:3.6.3, 3.5.5 and 3.4.8Reported by:Juan LeyvaCVE identifier:CVE-2019-3848Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=384011&parent=1547743
Linux Kernel vulnerability CVE-2019-1559 Security Advisory Security Advisory Description If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a ...
More info:
https://support.f5.com/csp/article/K18549143
We wanted to post a quick acknowledgement that VMware will have representatives in attendance at Pwn2Own Vancouver 2019 to review any vulnerabilities that may be demonstrated during the security contest. Stay tuned for further updates. As always please sign up for our VMware Security Advisories here for new and updated information.The post VMware and Pwn2Own Vancouver 2019 appeared first on VMware Security & Compliance Blog.
More info:
https://blogs.vmware.com/security/2019/03/vmware-and-pwn2own-vancouver-2019.html
Firefox 66, being released this week, supports using the Windows Hello feature for Web Authentication on Windows 10, enabling a passwordless experience on the web that is hassle-free and more secure. Firefox has supported Web Authentication for all desktop platforms … Continue readingThe post Passwordless Web Authentication Support via Windows Hello appeared first on Mozilla Security Blog.
More info:
https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/
