A limited SQL injection risk was identified in the "browse list of users" site administration page.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions |
| Versions fixed: | 4.0.4, 3.11.10 and 3.9.17 |
| Reported by: | Vincent |
| CVE identifier: | CVE-2022-40315 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75283 |
| Tracker issue: | MDL-75283 Minor SQL injection risk in admin user browsing |
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions |
| Versions fixed: | 4.0.4, 3.11.10 and 3.9.17 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2022-40314 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75405 |
| Tracker issue: | MDL-75405 Remote code execution risk when restoring malformed backup file from Moodle 1.9 |
Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions |
| Versions fixed: | 4.0.4, 3.11.10 and 3.9.17 |
| Reported by: | Adam Roberts, NCC Group |
| CVE identifier: | CVE-2022-40313 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68066 |
| Tracker issue: | MDL-68066 Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers |
Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.2 and 3.11 to 3.11.8 |
| Versions fixed: | 4.0.3 and 3.11.9 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2022-2986 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326 |
| Tracker issue: | MDL-75326 CSRF risk in enabling/disabling installed H5P libraries |
The Mustache template library included with Moodle has been upgraded to the latest version, which includes a fix for a serious security issue.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions |
| Versions fixed: | 4.0.3, 3.11.9 and 3.9.16 |
| Reported by: | Lars Bonczek |
| CVE identifier: | CVE-2022-0323 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75388 |
| Tracker issue: | MDL-75388 Upgrade Mustache to latest version (upstream) |
The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.
| Please note: | If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade. |
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Ilya Tregubov |
| CVE identifier: | N/A |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74473 |
| Tracker issue: | MDL-74473 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream) |
A minor reflected XSS risk was identified in the LTI module. This did not impact authenticated users.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Luuk Verhoeven |
| CVE identifier: | CVE-2022-35653 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299 |
| Tracker issue: | MDL-72299 LTI module reflected XSS risk - affecting unauthenticated users only |
The mobile auto-login URL required additional sanitizing to prevent an open redirect risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | petermaster |
| CVE identifier: | CVE-2022-35652 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171 |
| Tracker issue: | MDL-72171 Open redirect risk in mobile auto-login feature |
Insufficient sanitizing of SCORM track details presented stored XSS and blind SSRF risks.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Rekter0 |
| CVE identifier: | CVE-2022-35651 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921 |
| Tracker issue: | MDL-71921 Stored XSS and blind SSRF possible via SCORM track details |
Insufficient path checks in a lesson question import resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | loknop |
| CVE identifier: | CVE-2022-35650 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029 |
| Tracker issue: | MDL-72029 Arbitrary file read when importing lesson questions |