Security announcements

MSA-23-0023: Stored self-XSS escalated to stored XSS via OAuth 2 login

Michael Hawkins發表於

It was possible to escalate stored self-XSS to stored XSS where users login via OAuth 2.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-40320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78685
Tracker issue: MDL-78685 Stored self-XSS escalated to stored XSS via OAuth 2 login
討論這一議題  (至今有 0 篇回應)

MSA-23-0022: SQL injection risk in grader report sorting

Michael Hawkins發表於

An SQL injection risk was identified in the grader report sorting.

(Note: By default the capability to access this page is only available to teachers, non-editing teachers and managers.)

Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
Workaround: Remove access to the gradereport/grader:view capability until the patch has been applied.
CVE identifier: CVE-2023-40319
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78790
Tracker issue: MDL-78790 SQL injection risk in grader report sorting
討論這一議題  (至今有 0 篇回應)

MSA-23-0021: Some block permissions on Dashboard not respected

Michael Hawkins發表於

Permission overrides on individual blocks in the system dashboard did not cascade to user dashboards.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Bas Harkink
CVE identifier: CVE-2023-40318
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78340
Tracker issue: MDL-78340 Some block permissions on Dashboard not respected
討論這一議題  (至今有 0 篇回應)

MSA-23-0020: Remote code execution risk when parsing malformed file repository reference

Michael Hawkins發表於

A remote code execution risk was identified where file repository reference properties are parsed.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier:
CVE-2023-40317
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78647
Tracker issue: MDL-78647 Remote code execution risk when parsing malformed file repository reference
討論這一議題  (至今有 0 篇回應)

MSA-23-0019: Proxy bypass risk due to insufficient validation

Michael Hawkins發表於

Incorrect domain matching logic made it possible to bypass the proxy, which could result in access to hosts intended to be blocked by the proxy.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Brendan Heywood
Workaround: Add hosts blocked within the proxy to the Moodle cURL blocked hosts configuration if possible, until the patch is applied.
CVE identifier: CVE-2023-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74289
Tracker issue: MDL-74289 Proxy bypass risk due to insufficient validation
討論這一議題  (至今有 0 篇回應)

MSA-23-0018: SSRF risk due to insufficient check on the cURL blocked hosts list

Michael Hawkins發表於

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk.


Severity/Risk: Serious
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Mateo Hanžek
CVE identifier: CVE-2023-35133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215
Tracker issue: MDL-78215 SSRF risk due to insufficient check on the cURL blocked hosts list
討論這一議題  (至今有 0 篇回應)

MSA-23-0017: Minor SQL injection risk on Mnet SSO access control page

Michael Hawkins發表於

A limited SQL injection risk was identified on the Mnet SSO access control page.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Paul Holden
CVE identifier: CVE-2023-35132
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193
Tracker issue: MDL-77193 Minor SQL injection risk on Mnet SSO access control page
討論這一議題  (至今有 0 篇回應)

MSA-23-0016: XSS risk on groups page

Michael Hawkins發表於

Content on the groups page required additional sanitizing to prevent an XSS risk.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14
Versions fixed: 4.2.1, 4.1.4, 4.0.9 and 3.11.15
Reported by: Petr Skoda
CVE identifier: CVE-2023-35131
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76683
Tracker issue: MDL-76683 XSS risk on groups page
討論這一議題  (至今有 0 篇回應)

MSA-23-0015: Minor SQL injection risk in external Wiki method for listing pages

Michael Hawkins發表於

A limited SQL injection risk was identified in functionality used by the Wiki activity when listing pages.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13, 3.9 to 3.9.20 and earlier unsupported versions
Versions fixed: 4.1.3, 4.0.8, 3.11.14 and 3.9.21
Reported by: Paul Holden
CVE identifier: CVE-2023-30944
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187
Tracker issue: MDL-77187 Minor SQL injection risk in external Wiki method for listing pages
討論這一議題  (至今有 0 篇回應)

MSA-23-0014: TinyMCE loaders susceptible to Arbitrary Folder Creation

Michael Hawkins發表於

Insufficient sanitizing of loaders used by TinyMCE resulted in an arbitrary folder creation risk.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.2
Versions fixed: 4.1.3
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-30943
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
Tracker issue: MDL-77718 TinyMCE loaders susceptible to Arbitrary Folder Creation
討論這一議題  (至今有 0 篇回應)