Insufficient sanitizing in an undocumented MimeTeX command resulted in a remote code execution risk for sites using MimeTeX (via the TeX Notation filter).
Please also note that due to MimeTeX being un-maintained and without security updates for an extended period of time, it is considered an increasing security risk and not recommended for production use (see workaround below). For this reason MimeTeX support will also be removed from Moodle LMS in the near future.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions |
| Versions fixed: | 4.5.4, 4.4.8, 4.3.12 and 4.1.18 |
| Reported by: | TaiYou |
| Workaround: | Disable the TeX Notation filter until the patch is applied. If an alternative mathematical formula filter is required, consider configuring the MathJax filter instead. Alternatively, if you provide valid paths to LaTeX, dvips and convert binaries in the TeX Notation filter settings, the filter will use those instead of MimeTeX, as MimeTeX is the filter's fallback option. If setting the TeX Notation filter binary paths, you may wish to additionally insert a false MimeTeX path such as "x" that is not a valid executable, so that even if the system attempts to use MimeTeX, it fails to execute (leaving it blank does not have the same effect, because it then uses a version of MimeTeX included with Moodle LMS). |
| CVE identifier: | CVE-2024-40446 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85152 |
| Tracker issue: | MDL-85152 Remote code execution risk via MimeTeX command (upstream) |