Can't view the page? View this email in your browser

To all registered Moodle Administrators,

A new version of the official Moodle app (3.7.2) has now been released.

This was an unplanned release due to a privately reported security issue.

If your Moodle site has the mobile service enabled, we’d like to make the following security recommendations:

1. Encourage your users to upgrade their Moodle app to version 3.7.2.
    
2. Delete existing Web Service tokens for the mobile service, by navigating to Site administration > Plugins > Web services > Manage tokens (your users will be asked to log in again when accessing the app).
   
   For sites with a large number of users, you can perform a bulk removal of tokens by removing the relevant entries from the “external_tokens” table in the database (filtering by externalserviceid, for most sites there will be one that matches the ID of the Moodle app service).
    
3. Apply the following configuration change in your Moodle site: Go to Site administration > Security > Site security settings and set the value of the “User created token duration” option to 5 days. Once you are confident your users are aware they have to upgrade their Moodle app, you can then set this value to a higher value, such as 30 days.

At the same time, the Moodle Classic app was removed from the Google Play and Apple App stores. We are unable to provide an update for this app because of security restrictions on the stores. Please note that this app was only used for connecting to unsupported Moodle LMS versions. If your users will be affected by this change, we recommend upgrading your Moodle site to a supported version, so that users may use the latest version of the Moodle app.

If you have a custom branded app for your organisation, please ask your provider to upgrade your app as soon as possible. If your provider is not a Moodle partner, please contact us at mobile@moodle.com.

Public disclosure and CVE number will be published in the coming weeks.

As always, we are available for any further questions you may have. You can reach the mobile team at mobile@moodle.com.

Kind regards,

Moodle HQ

You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you no longer wish to receive these emails, please re-register your site with your new preferences or use the unsubscribe link below. Note that this inbox is unmonitored, so replies to this email will not be read.