ALT-PU-2019-2080-2

Package moodle updated to version 3.7.0-alt1 for branch sisyphus in task 232455.

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.

Severity: MEDIUM (5.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: MEDIUM (6.1)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: LOW (3.7)Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References:

A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Moodle Open Redirect Vulnerability

Severity: MEDIUM (6.1)Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Moodle Private files uploaded via incoming mail processing could bypass quota restrictions

Severity: MEDIUM (4.2)Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

References:

Moodle all messaging conversations could be viewed

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

Version: 2.1.2

Package moodle update in sisyphus on 2019-06-18

ALT-PU-2019-2080-2

Closed vulnerabilities

CVE-2019-10133

CVE-2019-10134

CVE-2019-10154

GHSA-5xp2-rv4h-mm2q

GHSA-j8wr-7xxj-c2fr

GHSA-ww45-x87c-wgff