JARVIS Server

Moodle mobile app 5.2.1 now available (includes security fix)

Mail detail

Moodle mobile app 5.2.1 now available (includes security fix)

securityalerts@moodle.org

Unread normal No attachments

Alleen lezen. Acties komen later.

Back to mail · Open API detail

Metadata

Mail id
19f667eba509680d
Thread id
19f667eba509680d
History id
1534364
Received
2026-07-15 17:56 CEST
Sync timestamp
Source
gmail
Importance
normal
Read
no
UNREADCATEGORY_UPDATESINBOX

Body preview

https://lists.moodle.org/w/QK8IylgjJd5VDfG7snO2ZQ/tq0lNDXhoqeaSOSsRiZOjA/O4gI1jehsqEox8920Y0AEpoQ

To all registered Moodle Administrators,

Mobile App Release - Includes Security Fix

I'm writing today to let you know that a new version (5.2.1) of the Moodle mobile app is now available, including an important security fix.

The security issue affects the official Moodle mobile app and apps built using its codebase. Pre-configured apps that only connect to a set list of sites, such as official Branded Moodle Apps, are not affected by this issue.

To avoid leaving your mobile app users vulnerable, we highly recommend asking your users to upgrade to the latest available Moodle mobile app version (https://lists.moodle.org/l/QK8IylgjJd5VDfG7snO2ZQ/h2vCeA4Uf1qQswVLt3NG0w/O4gI1jehsqEox8920Y0AEpoQ), and for you to make the following configuration change on your Moodle site: Open “Site administration” > “General” > “Mobile app authentication” and set the “Minimum app version required” setting to 5.2.1.

As a registered Moodle admin, you receive notice of fixed security issues before they are published more widely. In approximately one week, the details will also be available from https://lists.moodle.org/l/QK8IylgjJd5VDfG7snO2ZQ/i8y5VcZPBGnP8ujXuCakMQ/O4gI1jehsqEox8920Y0AEpoQ.

Juan Leyva
Moodle HQ

==============================================================================
Security Fixes
==============================================================================
MAPP-26-0001: Site plugin can read web service tokens from other stored sites

Description:       Insufficient Moodle app token isolation made it possible for
                   a Moodle site being logged into the app to access secure-storage
                   tokens for other Moodle sites the user already had configured in
                   their Moodle mobile app. This could result in compromise of the
                   user’s web service token if, for example, they were tricked into
                   logging into a malicious Moodle site in the Moodle app via a deep-link.
Issue summary:     Site plugin can read web service tokens from other stored sites
Severity/Risk:     Serious
Versions affected: 5.2.0 and earlier unsupported versions
Versions fixed:    5.2.1
Reported by:       Wai Han
Issue no.:         MOBILE-5071
CVE identifier:    Pending
Changes (main):    https://github.com/search?q=repo%3Amoodlehq%2Fmoodleapp+MOBILE-5071&type=commits
==============================================================================

You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you no longer wish to receive these emails, please re-register your site with your new preferences or use the unsubscribe link below. Note that this inbox is unmonitored, so replies to this email will not be read.

Link to unsubscribe: https://lists.moodle.org/unsubscribe/bXTqEtsi3kWFxAdkLpd763xS9j44lW2rbEg88pa815MRc/tq0lNDXhoqeaSOSsRiZOjA/O4gI1jehsqEox8920Y0AEpoQ

Recipients

onno.hardebol@gmail.com

CC

No CC

Attachments

No attachment metadata available.