Day: 25 septiembre, 2020

Linux kernel vulnerability CVE-2019-17055 Security Advisory Security Advisory Description base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through ... More info: https://support.f5.com/csp/article/K63176101?utm_source=f5support&utm_medium=RSS

The BIG-IP ASM system may fail to mask sensitive parameter for an Allowed URL in the Referrer header and logs Security Advisory Security Advisory Description The BIG-IP ASM system may fail to mask ... More info: https://support.f5.com/csp/article/K86285055?utm_source=f5support&utm_medium=RSS

TMM vulnerability CVE-2020-5930 Security Advisory Security Advisory Description Unauthenticated attackers can cause disruption of service via undisclosed methods. (CVE-2020-5930) Impact An ... More info: https://support.f5.com/csp/article/K20622530?utm_source=f5support&utm_medium=RSS

Quite a few new WordPress plugin and theme vulnerabilities were disclosed during the second half of September, making this one of our largest round-ups to date. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your […] More info: https://ithemes.com/wordpress-vulnerability-roundup-september-2020-part-2/

by Michael Hawkins. The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1Versions fixed:3.9.2Reported by:Kien HoangCVE identifier:CVE-2020-25627Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69240Tracker issue:MDL-69240 Stored XSS via moodlenetprofile parameter in user profile More info: https://moodle.org/mod/forum/discuss.php?d=410839&parent=1657001

by Michael Hawkins. Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Florence ThiardWorkaround:Remove the "Login as other users" capability from the manager More info: https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657003

by Michael Hawkins. The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Luuk VerhoevenCVE identifier:CVE-2020-25628Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340Tracker issue:MDL-69340 Reflected XSS in tag manager More info: https://moodle.org/mod/forum/discuss.php?d=410840&parent=1657002

by Michael Hawkins. It was possible to include JavaScript in a books chapter title, which was not escaped on the "Add new chapter" page.Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7Versions fixed:3.9.2, 3.8.5 and 3.7.8Reported by:DegrangeMCVE More info: https://moodle.org/mod/forum/discuss.php?d=410843&parent=1657005

by Michael Hawkins. The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Ivan NovichkovCVE identifier:CVE-2020-25630Changes More info: https://moodle.org/mod/forum/discuss.php?d=410842&parent=1657004