Security announcements

MSA-22-0015: PostScript Code Injection / Remote code execution risk

Michael Hawkins發表於

An omitted execution parameter resulted in a remote code execution risk for sites running GhostScript versions older than 9.50.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Nick Wojciechowski, CyberCX
Workaround: Ensure older versions of GhostScript are upgraded to 9.50 or newer.
CVE identifier: CVE-2022-35649
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75044
Tracker issue: MDL-75044 PostScript Code Injection / Remote code execution risk
討論這一議題  (至今有 0 篇回應)

MSA-22-0014: Failed login attempts counted incorrectly

Michael Hawkins發表於

An issue in the logic used to count failed login attempts could result in the account lockout threshold being bypassed.


Severity/Risk: Serious
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Shamim Rezaie
CVE identifier: CVE-2022-30600
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-73736
Tracker issue: MDL-73736 Failed login attempts counted incorrectly
討論這一議題  (至今有 0 篇回應)

MSA-22-0013: SQL injection risk in badge award criteria

Michael Hawkins發表於

An SQL injection risk was identified in Badges code relating to configuring criteria.

NOTE: in Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, access to this vulnerability was available to site administrators only. In earlier versions, access to the relevant capability was also limited to teachers and managers by default.


Severity/Risk: Serious
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Michael Dunstan
Workaround: In versions earlier than Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied (in newer versions this is not necessary).
CVE identifier: CVE-2022-30599
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74333
Tracker issue: MDL-74333 SQL injection risk in badge award criteria
討論這一議題  (至今有 0 篇回應)

MSA-22-0012: Global search results reveal authors of content unexpectedly for some activities

Michael Hawkins發表於

Global search results could include author information on some activities where a user may not otherwise have access to it.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Catalina
CVE identifier: CVE-2022-30598
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71623
Tracker issue: MDL-71623 Global search results reveal authors of content unexpectedly for some activities
討論這一議題  (至今有 0 篇回應)

MSA-22-0011: Description field hidden by user policies (hiddenuserfields) is still visible

Michael Hawkins發表於

The description user field was not hidden when being set as a hidden user field.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Bo Foght
CVE identifier: CVE-2022-30597
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74318
Tracker issue: MDL-74318 Description field hidden by user policies (hiddenuserfields) is still visible
討論這一議題  (至今有 0 篇回應)

MSA-22-0010: Stored XSS in assignment bulk marker allocation form via user ID number

Michael Hawkins發表於

ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Paul Holden
CVE identifier: CVE-2022-30596
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74204
Tracker issue: MDL-74204 Stored XSS in assignment bulk marker allocation form via user ID number
討論這一議題  (至今有 0 篇回應)

MSA-22-0009: Upgrade CKEditor included in h5p-editor-php-library to latest version (upstream)

Michael Hawkins發表於

The CKEditor included in the h5p-editor-php-library within Moodle has been upgraded to the latest version, which includes security fixes.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Sara Arjona (@sarjona)
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71722
Tracker issue: MDL-71722 Upgrade CKEditor included in h5p-editor-php-library to latest version (upstream)
討論這一議題  (至今有 0 篇回應)

MSA-22-0008: Upgrade PHPMailer to latest version (upstream)

Michael Hawkins發表於

The PHPMailer library included with Moodle has been upgraded to the latest version, which includes security fixes.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Sara Arjona (@sarjona)
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71703
Tracker issue: MDL-71703 Upgrade PHPMailer to latest version (upstream)
討論這一議題  (至今有 0 篇回應)

MSA-22-0007: Possible to reach the profile field badge criteria on a course page

Michael Hawkins發表於

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Andrew Lyons
Workaround: Remove the moodle/badges:configurecriteria capability from users to prevent them accessing the relevant functionality until the patch is applied.
CVE identifier: CVE-2022-0984
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74075
Tracker issue: MDL-74075 Possible to reach the profile field badge criteria on a course page
討論這一議題  (至今有 0 篇回應)

MSA-22-0006: Users with moodle/site:uploadusers but without moodle/user:delete could delete users

Michael Hawkins發表於

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Chris Pratt
Workaround: Remove the moodle/site:uploadusers capability from users who do not also have the moodle/user:delete capability, until the patch is applied.
CVE identifier: CVE-2022-0985
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72972
Tracker issue: MDL-72972 Users with moodle/site:uploadusers but without moodle/user:delete could delete users
討論這一議題  (至今有 0 篇回應)