The first release candidate for WordPress 5.5 is now available! This is an important milestone in the community’s progress toward the final release of WordPress 5.5. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.5 […]
More info:
https://wordpress.org/news/2020/07/wordpress-5-5-release-candidate/
On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. We initially reached out to the plugin’s developer […]
More info:
https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
von Michael Hawkins. X-Forwarded-For headers could be used to spoof a users IP, in order to bypass remote address checks.PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "reverseproxyignore" setting. This ensures the IPs of the later proxies are ignored in favour of the users IP. Severity/Risk: Serious Versions
More info:
https://moodle.org/mod/forum/discuss.php?d=398351&parent=1606855
von Michael Hawkins. MathJax versions 2.7.2 and earlier contain a stored XSS risk. The MathJax URL has been updated to reference a newer version, which has the vulnerability patched.Severity/Risk:SeriousVersions affected:3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versionsVersions fixed:3.8.3, 3.7.6, 3.6.10 and 3.5.12Reported by:Abdullah HussamWorkaround:Manually update the MathJax URL in site administration to reference the patched version
More info:
https://moodle.org/mod/forum/discuss.php?d=403512&parent=1628590
von Michael Hawkins. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.Severity/Risk:SeriousVersions affected:3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versionsVersions fixed:3.8.3, 3.7.6, 3.6.10 and 3.5.12Reported by:Paul HoldenWorkaround:Disable the SCORM package activity type until the patch is applied.CVE
More info:
https://moodle.org/mod/forum/discuss.php?d=403513&parent=1628593
von Michael Hawkins. The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.Severity/Risk:SeriousVersions affected:3.9, 3.8 to 3.8.3 and 3.7 to 3.7.6Versions fixed:3.9.1, 3.8.4 and 3.7.7Reported by:Spyridon ChatzimichailCVE identifier:CVE-2020-14320Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69128Tracker issue:MDL-69128 Reflected XSS in admin task logs filter
More info:
https://moodle.org/mod/forum/discuss.php?d=407392&parent=1644267
von Michael Hawkins. The JQuery version used by the H5P library contained a prototype pollution risk, which has now been updated to a patched version.Severity/Risk:MinorVersions affected:3.8 to 3.8.3Versions fixed:3.8.4 and 3.9Reported by:weblendwebCVE identifier:CVE-2019-11358Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68704Tracker issue:MDL-68704 Vulnerable JavaScript libraries: jQuery 1.9.1 (upstream)
More info:
https://moodle.org/mod/forum/discuss.php?d=407391&parent=1644266
von Michael Hawkins. yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.Severity/Risk:SeriousVersions affected:3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versionsVersions fixed:3.9.1, 3.8.4, 3.7.7 and 3.5.13Reported by:Yuri ZwaigCVE identifier:CVE-2020-14322Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68426Tracker issue:MDL-68426 yui_combo should mitigate
More info:
https://moodle.org/mod/forum/discuss.php?d=407394&parent=1644269
von Michael Hawkins. Teachers of a course were able to assign themselves the manager role within that course.Severity/Risk:SeriousVersions affected:3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versionsVersions fixed:3.9.1, 3.8.4, 3.7.7 and 3.5.13Reported by:Kien HoangCVE identifier:CVE-2020-14321Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69093Tracker issue:MDL-69093 Course enrolments allowed privilege
More info:
https://moodle.org/mod/forum/discuss.php?d=407393&parent=1644268
More info:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11036&actp=RSS
