Security announcements

MSA-22-0005: SQL injection risk in Badges criteria code

Michael Hawkins發表於

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or patch as soon as you are able to. We prepared the patch for this as soon as we became aware of the issue, to ensure a fix was available for this release.

It is important to reiterate that this vulnerability is only accessible by teachers/managers/admins by default, because it requires the capability to add and enable badge criteria. As mentioned in the workaround listed below, this can be mitigated (on all non-admin users) by removing the relevant capability until the patch is applied.

Severity/Risk: Serious
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Workaround: Remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied.
CVE identifier: CVE-2022-0983
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74074
Tracker issue: MDL-74074 SQL injection risk in Badges criteria code
討論這一議題  (至今有 0 篇回應)

MSA-22-0004: CSRF risk in badge alignment deletion

Michael Hawkins發表於

The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed: 3.11.5, 3.10.9 and 3.9.12
Reported by: Ostapbender
CVE identifier: CVE-2022-0335
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72367
Tracker issue: MDL-72367 CSRF risk in badge alignment deletion
討論這一議題  (至今有 0 篇回應)

MSA-22-0003: Capability gradereport/user:view not always respected when navigating to a user's course grade report

Michael Hawkins發表於

Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed: 3.11.5, 3.10.9 and 3.9.12
Reported by: Deds Castillo
CVE identifier: CVE-2022-0334
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72772
Tracker issue: MDL-72772 Capability gradereport/user:view not always respected when navigating to a user's course grade report
討論這一議題  (至今有 0 篇回應)

MSA-22-0002: calendar:manageentries capability allows CRUD access to all calendar events

Michael Hawkins發表於

The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed: 3.11.5, 3.10.9 and 3.9.12
Reported by: oct0pus7
CVE identifier: CVE-2022-0333
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71239
Tracker issue: MDL-71239 calendar:manageentries capability allows CRUD access to all calendar events
討論這一議題  (至今有 0 篇回應)

MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts

Michael Hawkins發表於

An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.4
Versions fixed: 3.11.5
Reported by: Paul Holden
CVE identifier: CVE-2022-0332
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72573
Tracker issue: MDL-72573 SQL injection risk in code fetching h5p activity user attempts
討論這一議題  (至今有 0 篇回應)

MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events

Michael Hawkins發表於

Insufficient capability checks made it possible to fetch other users' calendar action events.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed: 3.11.4, 3.10.8 and 3.9.11
Reported by: 0xkasper
CVE identifier: CVE-2021-43560
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918
Tracker issue: MDL-71918 IDOR in a calendar web service allows fetching of other users' action events
討論這一議題  (至今有 0 篇回應)

MSA-21-0041: CSRF risk on delete related badge feature

Michael Hawkins發表於

The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed: 3.11.4, 3.10.8 and 3.9.11
Reported by: ostapbender
CVE identifier: CVE-2021-43559
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72370
Tracker issue: MDL-72370 CSRF risk on delete related badge feature
討論這一議題  (至今有 0 篇回應)

MSA-21-0040: Reflected XSS in filetype admin tool

Michael Hawkins發表於

A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed: 3.11.4, 3.10.8 and 3.9.11
Reported by: starlabs_sg
CVE identifier: CVE-2021-43558
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72571
Tracker issue: MDL-72571 Reflected XSS in filetype admin tool
討論這一議題  (至今有 0 篇回應)

MSA-21-0039: Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)

Michael Hawkins發表於

The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.

Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade.

Severity/Risk: Minor
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed: 3.11.4, 3.10.8 and 3.9.11
Reported by: Sara Arjona
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70887
Tracker issue: MDL-70887 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)
討論這一議題  (至今有 0 篇回應)

MSA-21-0038: Remote code execution risk when restoring malformed backup file

Michael Hawkins發表於

A remote code execution risk when restoring backup files was identified.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed: 3.11.4, 3.10.8 and 3.9.11
Reported by: Paul Holden
CVE identifier: CVE-2021-3943
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70823
Tracker issue: MDL-70823 Remote code execution risk when restoring malformed backup file
討論這一議題  (至今有 0 篇回應)