Kibana vulnerability CVE-2019-7609 Security Advisory Security Advisory Description Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An ...
More info:
https://support.f5.com/csp/article/K54184111?utm_source=f5support&utm_medium=RSS
by Michael Hawkins. An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or patch as soon as you are able to. We prepared the patch for this as soon as we became aware of the issue, to ensure a fix was available for this release.It
More info:
https://moodle.org/mod/forum/discuss.php?d=432947&parent=1742073
by Michael Hawkins. Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Chris PrattWorkaround:Remove the moodle/site:uploadusers capability from users who do not also have the moodle/user:delete capability, until
More info:
https://moodle.org/mod/forum/discuss.php?d=432948&parent=1742074
by Michael Hawkins. Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Andrew LyonsWorkaround:Remove the moodle/badges:configurecriteria capability from users to prevent them
More info:
https://moodle.org/mod/forum/discuss.php?d=432949&parent=1742075
by Michael Hawkins. The PHPMailer library included with Moodle has been upgraded to the latest version, which includes security fixes.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Sara Arjona (@sarjona)CVE identifier:N/AChanges (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71703Tracker issue:MDL-71703 Upgrade PHPMailer to
More info:
https://moodle.org/mod/forum/discuss.php?d=432950&parent=1742077
by Michael Hawkins. The CKEditor included in the h5p-editor-php-library within Moodle has been upgraded to the latest version, which includes security fixes.Severity/Risk:MinorVersions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versionsVersions fixed:3.11.6, 3.10.10 and 3.9.13Reported by:Sara Arjona (@sarjona)CVE identifier:N/AChanges (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71722Tracker issue:MDL-71722
More info:
https://moodle.org/mod/forum/discuss.php?d=432951&parent=1742078
