Security announcements

MSA-24-0006: IDOR on dashboard comments block

by Michael Hawkins -

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (eg on their profile page).


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: BA7MAN
CVE identifier: CVE-2024-25983
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300
Tracker issue: MDL-78300 IDOR on dashboard comments block

MSA-24-0005: CSRF risk in Language import utility

by Michael Hawkins -

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Panagiotis Petasis
CVE identifier: CVE-2024-25982
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749
Tracker issue: MDL-54749 CSRF risk in Language import utility

MSA-24-0004: Forum export did not respect activity group settings

by Michael Hawkins -

Separate Groups mode restrictions were not honoured when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Leon Stringer
CVE identifier: CVE-2024-25981
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80504
Tracker issue: MDL-80504 Forum export did not respect activity group settings

MSA-24-0003: H5P attempts report did not respect activity group settings

by Michael Hawkins -

Separate Groups mode restrictions were not honoured in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Leon Stringer
CVE identifier: CVE-2024-25980
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501
Tracker issue: MDL-80501 H5P attempts report did not respect activity group settings

MSA-24-0002: Forum search accepted random parameters in its URL

by Michael Hawkins -

The URL parameters accepted by forum search were not limited to the allowed parameters.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Piotr Widak
CVE identifier: CVE-2024-25979
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69774
Tracker issue: MDL-69774 Forum search accepted random parameters in its URL

MSA-24-0001: Denial of service risk in file picker unzip functionality

by Michael Hawkins -

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.


Severity/Risk: Serious
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Sam Ezeh
CVE identifier: CVE-2024-25978
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74641
Tracker issue: MDL-74641 Denial of service risk in file picker unzip functionality

MSA-23-0053: Reflected XSS risk on ad-hoc tasks page

by Michael Hawkins -

The "classname" parameter on the admin ad-hoc tasks page required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.3 and 4.2 to 4.2.3
Versions fixed: 4.3.1 and 4.2.4
Reported by: Paul Holden
CVE identifier: CVE-2023-6670
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79839
Tracker issue: MDL-79839 Reflected XSS risk on ad-hoc tasks page

MSA-23-0052: XSS risk when manually running a task in the admin UI

by Michael Hawkins -

The mtrace output when running a task in the admin UI required additional sanitizing to prevent an XSS risk.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Brendan Heywood
CVE identifier: CVE-2023-6669
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80309
Tracker issue: MDL-80309 XSS risk when manually running a task in the admin UI

MSA-23-0051: Badge recipients are available to all users

by Michael Hawkins -

Insufficient capability checks meant it was possible for all users to view the recipients of badges.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Sara Arjona (@sarjona)
CVE identifier: CVE-2023-6668
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80268
Tracker issue: MDL-80268 Badge recipients are available to all users

MSA-23-0050: Survey responses did not respect group settings

by Michael Hawkins -

Separate Groups mode restrictions were not honoured in survey response reports, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Leon Stringer
CVE identifier: CVE-2023-6667
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79980
Tracker issue: MDL-79980 Survey responses did not respect group settings