Security announcements

MSA-23-0003: Possible to set the preferred "start page" of other users

Michael Hawkins發表於

Insufficient limitations on the "start page" preference made it possible to set that preference for another user. (Note: This was still limited to the pre-defined start page options)


Severity/Risk: Minor
Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions
Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Reported by: Paul Holden
CVE identifier: CVE-2023-23923
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862
Tracker issue: MDL-76862 Possible to set the preferred "start page" of other users
討論這一議題  (至今有 0 篇回應)

MSA-23-0002: Reflected XSS risk in blog search

Michael Hawkins發表於

Blog search required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.1 and 4.0 to 4.0.5
Versions fixed: 4.1.1, 4.0.6
Reported by: Unknown (name not provided)
CVE identifier: CVE-2023-23922
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76861
Tracker issue: MDL-76861 Reflected XSS risk in blog search
討論這一議題  (至今有 0 篇回應)

MSA-23-0001: Reflected XSS risk in some returnurl parameters

Michael Hawkins發表於

Some returnurl parameters required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions
Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Reported by: DegrangeM
CVE identifier: CVE-2023-23921
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76810
Tracker issue: MDL-76810 Reflected XSS risk in some returnurl parameters
討論這一議題  (至今有 0 篇回應)

MSA-22-0032: Blind SSRF risk in LTI provider library

Michael Hawkins發表於

Moodle's LTI provider library did not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Rekter0 and Holme
CVE identifier: CVE-2022-45152
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920
Tracker issue: MDL-71920 Blind SSRF risk in LTI provider library
討論這一議題  (至今有 0 篇回應)

MSA-22-0031: Stored XSS possible in some "social" user profile fields

Michael Hawkins發表於

The "social" user profile field type performed insufficient escaping on some fields, resulting in a stored XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4 and 3.11 to 3.11.10
Versions fixed: 4.0.5 and 3.11.11
Reported by: Bernardo Cabral
Workaround: Update "social" user profile fields so their visibility is set to "not visible", until the patch is applied.
CVE identifier: CVE-2022-45151
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76131
Tracker issue: MDL-76131 Stored XSS possible in some "social" user profile fields
討論這一議題  (至今有 0 篇回應)

MSA-22-0030: Reflected XSS risk in policy tool

Michael Hawkins發表於

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Eric Merrill
CVE identifier: CVE-2022-45150
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091
Tracker issue: MDL-76091 Reflected XSS risk in policy tool
討論這一議題  (至今有 0 篇回應)

MSA-22-0029: Course restore - CSRF token passed in course redirect URL

Michael Hawkins發表於

A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Michael Hawkins
CVE identifier: CVE-2022-45149
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75862
Tracker issue: MDL-75862 Course restore - CSRF token passed in course redirect URL
討論這一議題  (至今有 0 篇回應)

MSA-22-0028: Apply upstream security fix to VideoJS library to remove XSS risk

Michael Hawkins發表於

An upstream security patch was applied to the third party VideoJS library included with Moodle, on versions affected by an XSS risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 3.11.11 and 3.9.18
Reported by: Vincent
CVE identifier: CVE-2021-23414 (upstream)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75278
Tracker issue: MDL-75278 Apply upstream security fix to VideoJS library to remove XSS risk
討論這一議題  (至今有 0 篇回應)

MSA-22-0027: Quiz sequential navigation bypass using web services

Michael Hawkins發表於

Insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions
Versions fixed: 4.0.3, 3.11.9 and 3.9.16
Reported by: omaralbalouli
CVE identifier: CVE-2022-40208
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75210
Tracker issue: MDL-75210 Quiz sequential navigation bypass using web services
討論這一議題  (至今有 0 篇回應)

MSA-22-0026: No groups filtering in H5P activity attempts report

Michael Hawkins發表於

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Jari Vilkman and Bjørn Teistung
Workaround: Access to this feature can be revoked by removing the mod/h5pactivity:reviewattempts capability from relevant users until the patch is applied.
CVE identifier: CVE-2022-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71662
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72012
Tracker issue: MDL-71662 and MDL-72012 No groups filtering in H5P activity attempts report
討論這一議題  (至今有 0 篇回應)