by Michael Hawkins. Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.Severity/Risk:MinorVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:Andrew NicolsCVE identifier:CVE-2019-14828Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=391031&parent=1576205
by Michael Hawkins. The mobile launch endpoint contained an open redirect in some circumstances, which could result in a users mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").Severity/Risk:SeriousVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:Frederik Schou
More info:
https://moodle.org/mod/forum/discuss.php?d=391036&parent=1576214
by Michael Hawkins. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.Severity/Risk:SeriousVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:Sam Hemelryk, Andrew NicolsCVE identifier:CVE-2019-14827Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=391030&parent=1576204
by Michael Hawkins. The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)Severity/Risk:MinorVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:David MonllaóCVE identifier:N/AChanges
More info:
https://moodle.org/mod/forum/discuss.php?d=391032&parent=1576208
https://wpvulndb.com/vulnerabilities/9880
More info:
https://wpvulndb.com/vulnerabilities/9880
by Michael Hawkins. If a forums subscription mode was set to "forced subscription", the forums subscribe link contained an open redirect.Severity/Risk:MinorVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:John CouzinsWorkaround:Set a different subscription mode (eg optional or auto) on forums until the patch is applied.CVE identifier:CVE-2019-14831Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=391037&parent=1576215
https://wpengine.com/blog/gdpr-lessons-learned/It’s been more than a year since the General Data Protection Regulation (GDPR)went into effect in the EU. While this series of data privacy and protection laws apply to citizens of the EU, any global organization that holds or processes EU resident data is subject to GDPR regulation. It’s clear that GDPR has and will… […]
More info:
https://wpengine.com/blog/gdpr-lessons-learned/
http://feedproxy.google.com/~r/sucuri/blog/~3/vUeck3YfxVs/dissecting-the-wordpress-5-2-3-update.html Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing. Based on […]
More info:
http://feedproxy.google.com/~r/sucuri/blog/~3/vUeck3YfxVs/dissecting-the-wordpress-5-2-3-update.html
http://feedproxy.google.com/~r/sucuri/blog/~3/vUeck3YfxVs/dissecting-the-wordpress-5-2-3-update.html Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing. Based on […]
More info:
http://feedproxy.google.com/~r/sucuri/blog/~3/vUeck3YfxVs/dissecting-the-wordpress-5-2-3-update.html
by Michael Hawkins. Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.Severity/Risk:MinorVersions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versionsVersions fixed:3.7.2, 3.6.6 and 3.5.8Reported by:Andrew NicolsCVE identifier:CVE-2019-14829Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66187Tracker issue:MDL-66187 Activity
More info:
https://moodle.org/mod/forum/discuss.php?d=391035&parent=1576213
