Security announcements

MSA-26-0029: Missing capability checks in report builder fragment callbacks

by Michael Hawkins -

The report builder fragment output callbacks did not verify that the requesting user had the required capability to access the requested report, potentially allowing users to retrieve report data beyond their permitted access.

Severity/Risk: Minor
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84535
Tracker issue: MDL-84535 Missing capability checks in report builder fragment callbacks
Discuss this topic  (0 replies so far)

MSA-26-0028: DoS risk via user profile description

by Michael Hawkins -

User profile descriptions for authenticated users posed a denial of service risk due to the absence of a defined maximum length.

Severity/Risk: Serious
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: David Bogner
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87898
Tracker issue: MDL-87898 DoS risk via user profile description
Discuss this topic  (0 replies so far)

MSA-26-0027: Blind SSRF risk in MNet peers function

by Michael Hawkins -

A blind SSRF risk was identified in the MNet peers management functionality, due to missing validation of peer hostnames against the cURL blocked hosts configuration. Note: This feature is only available to site administrators.

Severity/Risk: Minor
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: DangKhai (VPBank Security Team)
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87911
Tracker issue: MDL-87911 Blind SSRF risk in MNet peers function
Discuss this topic  (0 replies so far)

MSA-26-0026: Missing capability check in Assignment marker allocation

by Michael Hawkins -

Insufficient capability checks in the Assignment module's marker allocation functionality allowed users without the required capability to allocate markers to submissions.

Severity/Risk: Serious
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88529
Tracker issue: MDL-88529 Missing capability check in Assignment marker allocation
Discuss this topic  (0 replies so far)

MSA-26-0025: CSRF risk in quiz attempt regrading

by Michael Hawkins -

The regrade action in the quiz overview report did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Serious
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88531
Tracker issue: MDL-88531 CSRF risk in quiz attempt regrading
Discuss this topic  (0 replies so far)

MSA-26-0024: Missing capability checks in AI placement web services

by Michael Hawkins -

Capability checks were missing from course assistance AI placement web services, which could allow users to make requests to those AI course assistance web services without having the relevant capabilities (if those features are enabled).

Severity/Risk: Minor
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88533
Tracker issue: MDL-88533 Missing capability checks in AI placement web services
Discuss this topic  (0 replies so far)

MSA-26-0023: CSRF risk when adding quiz section headings

by Michael Hawkins -

The quiz feature to add section headings did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88540
Tracker issue: MDL-88540 CSRF risk when adding quiz section headings
Discuss this topic  (0 replies so far)

MSA-26-0022: CSRF risk in group messaging state toggle

by Michael Hawkins -

The actions to enable and disable group messaging did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88541
Tracker issue: MDL-88541 CSRF risk in group messaging state toggle
Discuss this topic  (0 replies so far)

MSA-26-0021: CSRF and XSS in grade item idnumber editing

by Michael Hawkins -

The grade item ID number editing functionality did not include the necessary token to prevent a CSRF risk and also lacked sufficient output sanitizing to prevent an XSS risk.

Severity/Risk: Serious
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88542
Tracker issue: MDL-88542 CSRF and XSS in grade item idnumber editing
Discuss this topic  (0 replies so far)

MSA-26-0020: Reflected XSS via Feedback import error message

by Michael Hawkins -

The Feedback activity module's import functionality required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Minor
Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions
Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12
Reported by: Paul Holden
CVE identifier: Pending (this will be updated once available)
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88543
Tracker issue: MDL-88543 Reflected XSS via Feedback import error message
Discuss this topic  (0 replies so far)