Metadata
- Mail id
- 19f667eba509680d
- Thread id
- 19f667eba509680d
- History id
- 1534364
- Received
- 2026-07-15 17:56 CEST
- Sync timestamp
- —
- Source
- gmail
- Importance
- normal
- Read
- no
UNREADCATEGORY_UPDATESINBOX
Mail detail
securityalerts@moodle.org
Alleen lezen. Acties komen later.
Metadata
Body preview
https://lists.moodle.org/w/QK8IylgjJd5VDfG7snO2ZQ/tq0lNDXhoqeaSOSsRiZOjA/O4gI1jehsqEox8920Y0AEpoQ To all registered Moodle Administrators, Mobile App Release - Includes Security Fix I'm writing today to let you know that a new version (5.2.1) of the Moodle mobile app is now available, including an important security fix. The security issue affects the official Moodle mobile app and apps built using its codebase. Pre-configured apps that only connect to a set list of sites, such as official Branded Moodle Apps, are not affected by this issue. To avoid leaving your mobile app users vulnerable, we highly recommend asking your users to upgrade to the latest available Moodle mobile app version (https://lists.moodle.org/l/QK8IylgjJd5VDfG7snO2ZQ/h2vCeA4Uf1qQswVLt3NG0w/O4gI1jehsqEox8920Y0AEpoQ), and for you to make the following configuration change on your Moodle site: Open “Site administration” > “General” > “Mobile app authentication” and set the “Minimum app version required” setting to 5.2.1. As a registered Moodle admin, you receive notice of fixed security issues before they are published more widely. In approximately one week, the details will also be available from https://lists.moodle.org/l/QK8IylgjJd5VDfG7snO2ZQ/i8y5VcZPBGnP8ujXuCakMQ/O4gI1jehsqEox8920Y0AEpoQ. Juan Leyva Moodle HQ ============================================================================== Security Fixes ============================================================================== MAPP-26-0001: Site plugin can read web service tokens from other stored sites Description: Insufficient Moodle app token isolation made it possible for a Moodle site being logged into the app to access secure-storage tokens for other Moodle sites the user already had configured in their Moodle mobile app. This could result in compromise of the user’s web service token if, for example, they were tricked into logging into a malicious Moodle site in the Moodle app via a deep-link. Issue summary: Site plugin can read web service tokens from other stored sites Severity/Risk: Serious Versions affected: 5.2.0 and earlier unsupported versions Versions fixed: 5.2.1 Reported by: Wai Han Issue no.: MOBILE-5071 CVE identifier: Pending Changes (main): https://github.com/search?q=repo%3Amoodlehq%2Fmoodleapp+MOBILE-5071&type=commits ============================================================================== You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you no longer wish to receive these emails, please re-register your site with your new preferences or use the unsubscribe link below. Note that this inbox is unmonitored, so replies to this email will not be read. Link to unsubscribe: https://lists.moodle.org/unsubscribe/bXTqEtsi3kWFxAdkLpd763xS9j44lW2rbEg88pa815MRc/tq0lNDXhoqeaSOSsRiZOjA/O4gI1jehsqEox8920Y0AEpoQ
Recipients
onno.hardebol@gmail.com
CC
No CC
Attachments
No attachment metadata available.