Security announcements

MSA-23-0043: Forum summary report shows students from other groups when in Separate Groups mode

Michael Hawkins發表於

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Fabián Glagovsky
CVE identifier: CVE-2023-5551
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310
Tracker issue: MDL-79310 Forum summary report shows students from other groups when in Separate Groups mode
討論這一議題  (至今有 0 篇回應)

MSA-23-0042: RCE due to LFI risk in some misconfigured shared hosting environments

Michael Hawkins發表於

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: 0xkasper
CVE identifier: CVE-2023-5550
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249
Tracker issue: MDL-72249 RCE due to LFI risk in some misconfigured shared hosting environments
討論這一議題  (至今有 0 篇回應)

MSA-23-0041: Insufficient capability checks when updating the parent of a course category

Michael Hawkins發表於

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Erica Bithell
CVE identifier: CVE-2023-5549
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730
Tracker issue: MDL-66730 Insufficient capability checks when updating the parent of a course category
討論這一議題  (至今有 0 篇回應)

MSA-23-0040: Make file serving endpoints revision control stricter

Michael Hawkins發表於

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-5548
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846
Tracker issue: MDL-77846 Make file serving endpoints revision control stricter
討論這一議題  (至今有 0 篇回應)

MSA-23-0039: XSS risk when previewing data in course upload tool

Michael Hawkins發表於

The course upload preview contained an XSS risk for users uploading unsafe data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Paul Holden
Workaround: Verify the contents and trustworthiness of course data before uploading it.
CVE identifier: CVE-2023-5547
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79455
Tracker issue: MDL-79455 XSS risk when previewing data in course upload tool
討論這一議題  (至今有 0 篇回應)

MSA-23-0038: Stored XSS in quiz grading report via user ID number

Michael Hawkins發表於

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Paul Holden
CVE identifier: CVE-2023-5546
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78971
Tracker issue: MDL-78971 Stored XSS in quiz grading report via user ID number
討論這一議題  (至今有 0 篇回應)

MSA-23-0037: Auto-populated H5P author name causes a potential information leak

Michael Hawkins發表於

H5P metadata automatically populated the author with the user's username, which could be sensitive information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Josh Manders
CVE identifier: CVE-2023-5545
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820
Tracker issue: MDL-78820 Auto-populated H5P author name causes a potential information leak
討論這一議題  (至今有 0 篇回應)

MSA-23-0036: Stored XSS and potential IDOR risk in Wiki comments

Michael Hawkins發表於

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: h1w0rld
CVE identifier: CVE-2023-5544
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509
Tracker issue: MDL-79509 Stored XSS and potential IDOR risk in Wiki comments
討論這一議題  (至今有 0 篇回應)

MSA-23-0035: Duplicating a BigBlueButton activity assigns the same meeting ID

Michael Hawkins發表於

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Lionel Caylat
Workaround: Manually create a fresh BigBlueButton activity instead of duplicating, until the patch has been applied.
CVE identifier: CVE-2023-5543
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795
Tracker issue: MDL-77795 Duplicating a BigBlueButton activity assigns the same meeting ID
討論這一議題  (至今有 0 篇回應)

MSA-23-0034: Students could see other students in "Only see own membership" groups

Michael Hawkins發表於

Students in "Only see own membership" groups could see other students in the group, which should be hidden.


Severity/Risk: Minor
Versions affected: 4.2.2
Versions fixed: 4.2.3
Reported by: Eliot
CVE identifier: CVE-2023-5542
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213
Tracker issue: MDL-79213 Students could see other students in "Only see own membership" groups
討論這一議題  (至今有 0 篇回應)