The "classname" parameter on the admin ad-hoc tasks page required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.3 and 4.2 to 4.2.3 |
| Versions fixed: | 4.3.1 and 4.2.4 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2023-6670 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79839 |
| Tracker issue: | MDL-79839 Reflected XSS risk on ad-hoc tasks page |
The mtrace output when running a task in the admin UI required additional sanitizing to prevent an XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Brendan Heywood |
| CVE identifier: | CVE-2023-6669 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80309 |
| Tracker issue: | MDL-80309 XSS risk when manually running a task in the admin UI |
Insufficient capability checks meant it was possible for all users to view the recipients of badges.
| Severity/Risk: | Minor |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Sara Arjona (@sarjona) |
| CVE identifier: | CVE-2023-6668 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80268 |
| Tracker issue: | MDL-80268 Badge recipients are available to all users |
Separate Groups mode restrictions were not honoured in survey response reports, which would display users from other groups.
| Severity/Risk: | Minor |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Leon Stringer |
| CVE identifier: | CVE-2023-6667 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79980 |
| Tracker issue: | MDL-79980 Survey responses did not respect group settings |
The grader report search required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 and 4.2 to 4.2.3 |
| Versions fixed: | 4.3.1 and 4.2.4 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2023-6666 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80287 |
| Tracker issue: | MDL-80287 Reflected XSS risk in grader report search |
ID numbers displayed in the grader report required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 and 4.2 to 4.2.3 |
| Versions fixed: | 4.3.1 and 4.2.4 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2023-6665 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80239 |
| Tracker issue: | MDL-80239 Stored XSS in grader report via user ID number |
Separate Groups mode restrictions were not honoured in the Logs and Live logs course reports, which would display users from other groups.
| Severity/Risk: | Minor |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Ankit Agarwal |
| CVE identifier: | CVE-2023-6664 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41465 |
| Tracker issue: | MDL-41465 Logs and Live logs course reports did not respect activity group settings |
A remote code execution risk was identified in course blocks. By default this was only available to teachers and managers.
| Severity/Risk: | Serious |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2023-6663 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79797 |
| Tracker issue: | MDL-79797 Authenticated remote code execution risk in course blocks |
Insufficient recursion limitations resulted in a denial of service risk in the URL downloader.
| Severity/Risk: | Serious |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | herocharge |
| CVE identifier: | CVE-2023-6662 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79759 |
| Tracker issue: | MDL-79759 DOS risk in URL downloader |
A remote code execution risk was identified in logstore. By default this was only available to managers.
| Severity/Risk: | Serious |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2023-6661 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80174 |
| Tracker issue: | MDL-80174 Authenticated remote code execution risk in logstore as manager |
