Bug 1021046 (CVE-2017-2576) - VUL-0: CVE-2017-2576,CVE-2017-2578: moodle: multiple vulnerabilities
Summary: VUL-0: CVE-2017-2576,CVE-2017-2578: moodle: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-2576
Product: openSUSE.org
Classification: openSUSE
Component: 3rd party software (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Lars Vogdt
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-20 08:40 UTC by Andreas Stieger
Modified: 2017-10-18 08:00 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-20 08:40:44 UTC 
https://moodle.org/mod/forum/discuss.php?d=345911
MSA-17-0001: System file inclusion when adding own preset file in Boost theme

Description: 	HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it
Issue summary: 	XSS in assignment submission page
Severity/Risk: 	Minor
Versions affected: 	3.2 and 3.1 to 3.1.3
Versions fixed: 	3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a precaution)
Reported by: 	Ago Luberg and Wael AbuSeada
Issue no.: 	MDL-57580
CVE identifier: 	CVE-2017-2578
Changes (master): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580


https://moodle.org/mod/forum/discuss.php?d=345912
MSA-17-0002: Incorrect sanitation of attributes in forums
Description: 	Forum post author can change too many fields when editing the post
Issue summary: 	Incorrect sanitation of attributes
Severity/Risk: 	Minor
Versions affected: 	3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 	3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: 	Anshul Jain
Issue no.: 	MDL-56225
CVE identifier: 	CVE-2017-2576
Changes (master): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225


https://moodle.org/mod/forum/discuss.php?d=345914
MSA-17-0003: PHPMailer vulnerability in no-reply address
Description: 	Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty.
Issue summary: 	Address the vulnerabilities in recent PHPMailer 5.2.x
Severity/Risk: 	Serious
Versions affected: 	3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 	3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: 	Matteo Scaramuccia
Issue no.: 	MDL-57531
Workaround: 	Define $CFG->noreplyaddress and $CFG->supportemail in config.php
CVE identifier: 	CVE-2016-10045 (PHPMailer)
Changes (master): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57531


https://moodle.org/mod/forum/discuss.php?d=345915
Description: 	HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it
Issue summary: 	XSS in assignment submission page
Severity/Risk: 	Minor
Versions affected: 	3.2 and 3.1 to 3.1.3
Versions fixed: 	3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a precaution)
Reported by: 	Ago Luberg and Wael AbuSeada
Issue no.: 	MDL-57580
CVE identifier: 	CVE-2017-2578
Changes (master): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580
Comment 2 Swamp Workflow Management 2017-01-20 23:00:14 UTC 
bugbot adjusting priority
Comment 3 Lars Vogdt 2017-10-18 08:00:46 UTC 
Updated moodle3_1 to 3.1.8.
Updated moodle3_2 to 3.2.5.
Updated moodle3_3 to 3.3.2.

=> closing as fixed.