von Michael Hawkins. Tokens used to fetch inline attachments in email notifications were not disabled when a users account was no longer active. Note: to access files, a user would need to know the file path, and their token.Severity/Risk:MinorVersions affected:3.7 to 3.7.2 and 3.6 to 3.6.6Versions fixed:3.7.3 and 3.6.7Reported by:Juan LeyvaCVE identifier:CVE-2019-14883Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66377Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=393586&parent=1586750
von Michael Hawkins. Messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored XSS.Severity/Risk:SeriousVersions affected:3.8Versions fixed:3.8.1Reported by:Cid da CostaWorkaround:Disable the messaging system until the patch has been applied.CVE identifier:CVE-2020-1691Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67637Tracker issue:MDL-67637 Stored XSS in message conversation overview
More info:
https://moodle.org/mod/forum/discuss.php?d=395953&parent=1596360
von Michael Hawkins. Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.Severity/Risk:SeriousVersions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versionsVersions fixed:3.7.3, 3.6.7 and 3.5.9Reported by:Yuriy DyachenkoCVE identifier:CVE-2019-14884Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66161Tracker issue:MDL-66161 Reflected XSS possible from some fatal error
More info:
https://moodle.org/mod/forum/discuss.php?d=393587&parent=1586751
von Michael Hawkins. X-Forwarded-For headers could be used to spoof a users IP, in order to bypass remote address checks.PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "reverseproxyignore" setting. This ensures the IPs of the later proxies are ignored in favour of the users IP. Severity/Risk: Serious
More info:
https://moodle.org/mod/forum/discuss.php?d=398351&parent=1606855
von Michael Hawkins. Users viewing the grade history report without the access all groups capability were not restricted to viewing grades of users within their own groups.Severity/Risk:MinorVersions affected:3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versionsVersions fixed:3.8.2, 3.7.5, 3.6.9 and 3.5.11Reported by:Tim HuntCVE identifier:CVE-2020-1754Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=398350&parent=1606854
von Michael Hawkins. Insufficient input escaping was applied to the PHP unit webrunner admin tool.NOTE: It is important to note that this update is only flagged as a precautionary measure, as it may provide limited CLI access to Moodle site admins. This may be considered a security risk in circumstances where admins do not ordinarily have access to the server CLI and/or in some hosting situations where site admins are not considered trusted users. This tool will also be removed entirely from
More info:
https://moodle.org/mod/forum/discuss.php?d=398352&parent=1606856
https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/ On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using the free version of Wordfence, were already protected from this vulnerability by the Web […]
More info:
https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/
https://www.wpsecurityauditlog.com/wordpress-admin/wordpress-activity-logs-newbies/ WordPress activity logs help site administrators better manage their WordPress websites and users, and keep them secure. Activity logs are also very helpful in a post hack scenario, to identify the source of the attack. If you are new to WordPress activity logs, this article is for you. We will explain what activity logs […]
More info:
https://www.wpsecurityauditlog.com/wordpress-admin/wordpress-activity-logs-newbies/
Intel product vulnerabilities CVE-2020-0550 and CVE-2020-0551 Security Advisory Security Advisory Description CVE-2020-0550 Improper data forwarding in some data cache for some Intel(R) Processors ...
More info:
https://support.f5.com/csp/article/K94552980?utm_source=f5support&utm_medium=RSS
BIG-IP HTTP/3 QUIC vulnerability CVE-2020-5859 Security Advisory Security Advisory Description Specially formatted HTTP/3 messages may cause the Traffic Management Microkernel (TMM) to produce a ...
More info:
https://support.f5.com/csp/article/K61367237?utm_source=f5support&utm_medium=RSS
