D-Bus vulnerability CVE-2019-12749 Security Advisory Security Advisory Description dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart ...
More info:
https://support.f5.com/csp/article/K25719440?utm_source=f5support&utm_medium=RSS
Project: Drupal coreDate: 2020-September-16Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site scriptingCVE IDs: CVE-2020-13666Description: The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting.Solution: Install the latest version:If you are using Drupal 7.x, upgrade to Drupal 7.73.If you are using Drupal 8.8.x, upgrade to Drupal 8.8.10.If you are using Drupal 8.9.x, upgrade to
More info:
https://www.drupal.org/sa-core-2020-007
von Michael Hawkins. The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1Versions fixed:3.9.2Reported by:Kien HoangCVE identifier:CVE-2020-25627Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69240Tracker issue:MDL-69240 Stored XSS via moodlenetprofile parameter in user profile
More info:
https://moodle.org/mod/forum/discuss.php?d=410839&parent=1657001
von Michael Hawkins. The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Luuk VerhoevenCVE identifier:CVE-2020-25628Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340Tracker issue:MDL-69340 Reflected XSS in tag manager
More info:
https://moodle.org/mod/forum/discuss.php?d=410840&parent=1657002
von Michael Hawkins. Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Florence ThiardWorkaround:Remove the "Login as other users" capability from the manager
More info:
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657003
von Michael Hawkins. It was possible to include JavaScript in a books chapter title, which was not escaped on the "Add new chapter" page.Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7Versions fixed:3.9.2, 3.8.5 and 3.7.8Reported by:DegrangeMCVE
More info:
https://moodle.org/mod/forum/discuss.php?d=410843&parent=1657005
von Michael Hawkins. The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Ivan NovichkovCVE identifier:CVE-2020-25630Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=410842&parent=1657004
