by Michael Hawkins. Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Florence ThiardWorkaround:Remove the "Login as other users" capability from the manager
More info:
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657003
by Michael Hawkins. The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Luuk VerhoevenCVE identifier:CVE-2020-25628Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340Tracker issue:MDL-69340 Reflected XSS in tag manager
More info:
https://moodle.org/mod/forum/discuss.php?d=410840&parent=1657002
by Michael Hawkins. It was possible to include JavaScript in a books chapter title, which was not escaped on the "Add new chapter" page.Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.Severity/Risk:MinorVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7Versions fixed:3.9.2, 3.8.5 and 3.7.8Reported by:DegrangeMCVE
More info:
https://moodle.org/mod/forum/discuss.php?d=410843&parent=1657005
by Michael Hawkins. The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.Severity/Risk:SeriousVersions affected:3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versionsVersions fixed:3.9.2, 3.8.5, 3.7.8 and 3.5.14Reported by:Ivan NovichkovCVE identifier:CVE-2020-25630Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=410842&parent=1657004
SCP vulnerability CVE-2020-15778 Security Advisory Security Advisory Description scp in OpenSSH through 8.3p1 allows command injection in scp.c remote function, as demonstrated by backtick ...
More info:
https://support.f5.com/csp/article/K04305530?utm_source=f5support&utm_medium=RSS
In our previous blogs, we discussed the emergence of XDR and its differentiation compared to other security solutions as well as its use cases and the role of the MITRE ATT&CK framework. In this 3rd and final blog of the XDR mini-series, we’ll discuss some challenges organizations may face while trying to implement XDR solutions. The post Challenges of Implementing XDR appeared first on Security & Compliance Blog.
More info:
https://blogs.vmware.com/security/2020/09/challenges-to-implementing-xdr-solutions.html?utm_source=rss&utm_medium=rss&utm_campaign=challenges-to-implementing-xdr-solutions
Vulnerabilities were recently patched in the Discount Rules for WooCommerce plugin installed on over 40,000 WordPress sites. Developers from OWASP Core Rule Set said ModSecurity v3 is exposed to denial of service exploits, though the maintainers of ModSecurity reject that claim. A severe vulnerability called Zerologon in Windows Netlogon was patched in August; this bug […]
More info:
https://www.wordfence.com/blog/2020/09/episode-87-vulnerabilities-affect-discount-rules-for-woocommerce-plugin-modsecurity-windows/
Are you frustrated trying to fix the HTTP 500 Internal Server Error on your WordPress site? You’re not alone. This is one of the most dreaded errors on WordPress because it never has a straightforward solution. Troubleshooting can take a lot of time and meanwhile, your site is down. You lose visitors, traffic, SEO rankings, […]
More info:
https://blogvault.net/http-500-internal-server-error-wordpress/
On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on […]
More info:
https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/
We are excited to announce a new update of Activity Log for the WPForms. With this extension for the WP Activity Log plugin you can keep a log of changes your team does on forms and the WPForms plugin settings. In this update we focused mostly on improving the coverage of the activity logs; WP […]
More info:
https://wpactivitylog.com/activity-log-wpforms-1-1/
