Episode 101: Supporting Remote Students with Free Site Audits & Cleanings

Wordfence announces a new program offering free site cleaning and site audits to public schools in the United States. We talk about why we’re offering this program and how to help schools take advantage of it. We also talk about the growing prevalence of WordPress as a content management system and how the incoming administration […] More info: https://www.wordfence.com/blog/2021/01/episode-101-supporting-remote-students-with-free-site-audits-cleanings/

MSA-21-0001: Search input template insufficiently escaped search queries

by Michael Hawkins. Some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.Severity/Risk:SeriousVersions affected:3.10Versions fixed:3.10.1Reported by:kstptCVE identifier:CVE-2021-20183Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571Tracker issue:MDL-70571 Search input template insufficiently escaped search queries More info: https://moodle.org/mod/forum/discuss.php?d=417166&parent=1680837

MSA-21-0002: Grade information disclosure in grades external fetch functions

by Michael Hawkins. Insufficient capability checks in some grade related web services meant students were able to view other students grades.Severity/Risk:MinorVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6Versions fixed:3.10.1, 3.9.4 and 3.8.7Reported by:Juan Segarra MontesinosCVE identifier:CVE-2021-20184Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69797Tracker issue:MDL-69797 Grade information disclosure in grades external fetch More info: https://moodle.org/mod/forum/discuss.php?d=417167&parent=1680839

MSA-21-0003: Client side denial of service via personal message

by Michael Hawkins. Messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.Severity/Risk:MinorVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Rik GouwCVE identifier:CVE-2021-20185Changes More info: https://moodle.org/mod/forum/discuss.php?d=417168&parent=1680841

MSA-21-0004: Stored XSS possible via TeX notation filter

by Michael Hawkins. If the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Ata HakcilWorkaround:Disable the TeX notation filter until the patch has been applied. (Note that this filter is disabled by default.)CVE identifier:CVE-2021-20186Changes More info: https://moodle.org/mod/forum/discuss.php?d=417170&parent=1680845

MSA-21-0005: Arbitrary PHP code execution by site admins via Shibboleth configuration

by Michael Hawkins. It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Frédéric MassartWorkaround:Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See More info: https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847

MSA-21-0005: Arbitrary PHP code execution by site admins via Shibboleth configuration

by Michael Hawkins. It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Frédéric MassartWorkaround:Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See More info: https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847
Translate »