Security announcements

MSA-23-0003: Possible to set the preferred "start page" of other users

by Michael Hawkins -

Insufficient limitations on the "start page" preference made it possible to set that preference for another user. (Note: This was still limited to the pre-defined start page options)


Severity/Risk: Minor
Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions
Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Reported by: Paul Holden
CVE identifier: CVE-2023-23923
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862
Tracker issue: MDL-76862 Possible to set the preferred "start page" of other users

MSA-23-0002: Reflected XSS risk in blog search

by Michael Hawkins -

Blog search required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.1 and 4.0 to 4.0.5
Versions fixed: 4.1.1, 4.0.6
Reported by: Unknown (name not provided)
CVE identifier: CVE-2023-23922
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76861
Tracker issue: MDL-76861 Reflected XSS risk in blog search

MSA-23-0001: Reflected XSS risk in some returnurl parameters

by Michael Hawkins -

Some returnurl parameters required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions
Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Reported by: DegrangeM
CVE identifier: CVE-2023-23921
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76810
Tracker issue: MDL-76810 Reflected XSS risk in some returnurl parameters

MSA-22-0032: Blind SSRF risk in LTI provider library

by Michael Hawkins -

Moodle's LTI provider library did not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Rekter0 and Holme
CVE identifier: CVE-2022-45152
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920
Tracker issue: MDL-71920 Blind SSRF risk in LTI provider library

MSA-22-0031: Stored XSS possible in some "social" user profile fields

by Michael Hawkins -

The "social" user profile field type performed insufficient escaping on some fields, resulting in a stored XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4 and 3.11 to 3.11.10
Versions fixed: 4.0.5 and 3.11.11
Reported by: Bernardo Cabral
Workaround: Update "social" user profile fields so their visibility is set to "not visible", until the patch is applied.
CVE identifier: CVE-2022-45151
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76131
Tracker issue: MDL-76131 Stored XSS possible in some "social" user profile fields

MSA-22-0030: Reflected XSS risk in policy tool

by Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Eric Merrill
CVE identifier: CVE-2022-45150
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091
Tracker issue: MDL-76091 Reflected XSS risk in policy tool

MSA-22-0029: Course restore - CSRF token passed in course redirect URL

by Michael Hawkins -

A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Michael Hawkins
CVE identifier: CVE-2022-45149
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75862
Tracker issue: MDL-75862 Course restore - CSRF token passed in course redirect URL

MSA-22-0028: Apply upstream security fix to VideoJS library to remove XSS risk

by Michael Hawkins -

An upstream security patch was applied to the third party VideoJS library included with Moodle, on versions affected by an XSS risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 3.11.11 and 3.9.18
Reported by: Vincent
CVE identifier: CVE-2021-23414 (upstream)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75278
Tracker issue: MDL-75278 Apply upstream security fix to VideoJS library to remove XSS risk

MSA-22-0027: Quiz sequential navigation bypass using web services

by Michael Hawkins -

Insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions
Versions fixed: 4.0.3, 3.11.9 and 3.9.16
Reported by: omaralbalouli
CVE identifier: CVE-2022-40208
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75210
Tracker issue: MDL-75210 Quiz sequential navigation bypass using web services

MSA-22-0026: No groups filtering in H5P activity attempts report

by Michael Hawkins -

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Jari Vilkman and Bjørn Teistung
Workaround: Access to this feature can be revoked by removing the mod/h5pactivity:reviewattempts capability from relevant users until the patch is applied.
CVE identifier: CVE-2022-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71662
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72012
Tracker issue: MDL-71662 and MDL-72012 No groups filtering in H5P activity attempts report