Wordfence announces a new program offering free site cleaning and site audits to public schools in the United States. We talk about why we’re offering this program and how to help schools take advantage of it. We also talk about the growing prevalence of WordPress as a content management system and how the incoming administration […]
More info:
https://www.wordfence.com/blog/2021/01/episode-101-supporting-remote-students-with-free-site-audits-cleanings/
by Michael Hawkins. Some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.Severity/Risk:SeriousVersions affected:3.10Versions fixed:3.10.1Reported by:kstptCVE identifier:CVE-2021-20183Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571Tracker issue:MDL-70571 Search input template insufficiently escaped search queries
More info:
https://moodle.org/mod/forum/discuss.php?d=417166&parent=1680837
by Michael Hawkins. Insufficient capability checks in some grade related web services meant students were able to view other students grades.Severity/Risk:MinorVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6Versions fixed:3.10.1, 3.9.4 and 3.8.7Reported by:Juan Segarra MontesinosCVE identifier:CVE-2021-20184Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69797Tracker issue:MDL-69797 Grade information disclosure in grades external fetch
More info:
https://moodle.org/mod/forum/discuss.php?d=417167&parent=1680839
by Michael Hawkins. Messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.Severity/Risk:MinorVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Rik GouwCVE identifier:CVE-2021-20185Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=417168&parent=1680841
by Michael Hawkins. If the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Ata HakcilWorkaround:Disable the TeX notation filter until the patch has been applied. (Note that this filter is disabled by default.)CVE identifier:CVE-2021-20186Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=417170&parent=1680845
by Michael Hawkins. It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Frédéric MassartWorkaround:Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See
More info:
https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847
by Michael Hawkins. It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Frédéric MassartWorkaround:Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See
More info:
https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847
