Today, Moodle announced a security vulnerability in their platform. The vulnerability can be exploited by anyone who is registered with the Moodle site.
Any software application has these kinds of issues every now and then. The important part of vulnerabilities is how they are handled. First of all we ask all security researchers to apply the responsible disclosure principle. This means that any vulnerability found is initially only disclosed to the vendor, so that they are given time to fix the issue before the vulnerability is published. The vendor can then carefully analyse the issue, without pressure, and release a new version that has the issue correctly resolved.
In the Open Source world, the emphasis is on transparency. Any vulnerability is eventually published and shown to the world. As much as this provides more detail about the vulnerability, it allows anyone in the industry to make up their own mind about the vulnerability and to determine if they are affected or not. In general, the guidance from the software vendor (Moodle in this case) should be followed and upgrading to the latest release is very important. However, it also means that the exploit is available to everyone, including people who have bad intentions.
In the case of Moodle, there is an additional safety step. If your Moodle is managed by a Moodle partner, like Catalyst IT, the partner network is informed about the vulnerability before it is disclosed to the public.. This is because we are a network of trusted Moodle engineers, and we know that it is safe to share this information internally. The issue here is that it is of utmost importance to avoid leaking this information before it is officially announced, because that would endanger any site in the world, particularly those that are not managed by a Moodle partner.
Now that Moodle has released the new version that has fixed the security issue, it is crucial for everyone to upgrade to this latest version as soon as possible. But as Moodle partner, and in fact the Global Certified Moodle service provider of the year, we have already fixed the issue on all of our clients’ sites and we are pleased to confirm that no single Catalyst client is vulnerable to this issue. In fact, we are proud to have contributed to this issue, by allowing our developers and engineers to work on the fix and give it back to the Moodle community.
As Moodle partner we dedicate our teams to staying on top of issues like this, making sure that your data is safe and secure.