Security announcements

MSA-24-0041: LFI vulnerability when restoring malformed block backups

Michael Hawkins -

A local file include risk when restoring block backups was identified.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43440
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82392
Tracker issue: MDL-82392 LFI vulnerability when restoring malformed block backups

MSA-24-0040: Reflected XSS via H5P error message

Michael Hawkins -

H5P error messages required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TeHoFu
CVE identifier: CVE-2024-43439
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82558
Tracker issue: MDL-82558 Reflected XSS via H5P error message

MSA-24-0039: IDOR in Feedback non-respondents report allows messaging arbitrary site users

Michael Hawkins -

Bulk messaging in the Feedback activity's non-respondents report did not verify message recipients belong to the set of users returned by the report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43438
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82261
Tracker issue: MDL-82261 IDOR in Feedback non-respondents report allows messaging arbitrary site users

MSA-24-0038: XSS risk when restoring malicious course backup file

Michael Hawkins -

Insufficient sanitizing of data when performing a restore could result in an XSS risk from malicious backup files.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Adam Chovanec
CVE identifier: CVE-2024-43437
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81394
Tracker issue: MDL-81394 XSS risk when restoring malicious course backup file

MSA-24-0037: Site administration SQL injection via XMLDB editor

Michael Hawkins -

An SQL injection risk was identified in the XMLDB editor tool available to site administrators

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TaiYou
CVE identifier: CVE-2024-43436
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82395
Tracker issue: MDL-82395 Site administration SQL injection via XMLDB editor

MSA-24-0036: Can create global glossary without being admin

Michael Hawkins -

Insufficient capability checks made it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Robert Schrenk
CVE identifier: CVE-2024-43435
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64984
Tracker issue: MDL-64984 Can create global glossary without being admin

MSA-24-0035: CSRF risk in Feedback non-respondents report

Michael Hawkins -

The bulk message sending feature for the Feedback module's non-respondents report had an incorrect CSRF token check, resulting in a CSRF risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43434
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82262
Tracker issue: MDL-82262 CSRF risk in Feedback non-respondents report

MSA-24-0034: Matrix user/power level management not always working as expected with suspended users

Michael Hawkins -

Matrix room membership and power levels were not correctly applied/revoked for suspended Moodle users

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1 and 4.3 to 4.3.5
Versions fixed: 4.4.2, 4.3.6
Reported by: Michael Hawkins
Workaround: Manually manage suspended users within Matrix (as a moderator/admin), until the patch is applied.
CVE identifier: CVE-2024-43433
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81951
Tracker issue: MDL-81951 Matrix user/power level management not always working as expected with suspended users

MSA-24-0033: Authorization headers preserved between "emulated redirects"

Michael Hawkins -

The cURL wrapper in Moodle stripped HTTPAUTH and USERPWD headers during emulated redirects, but retained other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Marina Glancy
CVE identifier: CVE-2024-43432
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136
Tracker issue: MDL-82136 Authorization headers preserved between "emulated redirects"

MSA-24-0032: IDOR in badges allows deletion of arbitrary badges

Michael Hawkins -

Insufficient capability checks made it possible to delete badges a user does not have permission to access.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43431
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82390
Tracker issue: MDL-82390 IDOR in badges allows deletion of arbitrary badges