Moodle security updates

Number: AV17-036
Date: March 21 2017

Purpose

The purpose of this advisory is to bring attention to multiple Moodle security vulnerabilities.

Assessment

Moodle has released the following support articles:

MSA-17-0005 - SQL injection via user preferences
MSA-17-0007 - Global search displays user names for unauthenticated users
MSA-17-0008 - XSS in evidence of prior learning
MSA-17-0009 - XSS in attachments to evidence of prior learning

Versions Affected: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions

CVE References: CVE-2017-2641, CVE-2017-2643, CVE-2017-2644, CVE-2017-2645

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

• https://moodle.org/mod/forum/discuss.php?d=349419
• https://moodle.org/mod/forum/discuss.php?d=349420
• https://moodle.org/mod/forum/discuss.php?d=349421
• https://moodle.org/mod/forum/discuss.php?d=349422