Security announcements

MSA-24-0056: Potential denial of service risk due to guest sessions' longer timeout period

de Michael Hawkins -

Guest user sessions were given a longer timeout than authenticated users, which could result in an elevated denial of service risk.

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jerome Charaoui
CVE identifier: CVE-2024-55648
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61316
Tracker issue: MDL-61316 Potential denial of service risk due to guest sessions' longer timeout period

MSA-24-0055: Reflected XSS in question bank filter

de Michael Hawkins -

Question bank filtering required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4 and 4.3 to 4.3.8
Versions fixed: 4.5.1, 4.4.5, and 4.3.9
Reported by: Andrey Alekseev (Positive Technologies)
CVE identifier: CVE-2024-55647
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83357
Tracker issue: MDL-83357 Reflected XSS in question bank filter

MSA-24-0054: Database activity issue in separate groups mode, for users not in a group

de Michael Hawkins -

In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups. Note: Users within groups worked as intended, only able to see entries belonging to other members of their group(s).

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jaron Cohen
CVE identifier: CVE-2024-55646
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82757
Tracker issue: MDL-82757 Database activity issue in separate groups mode, for users not in a group

MSA-24-0053: Email change confirmation token available via preference

de Michael Hawkins -

On sites requiring a confirmation step to update a user's email address, the token used to verify the change should only be accessible via the confirmation email, but was otherwise retrievable by the user.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-55645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82379
Tracker issue: MDL-82379 Email change confirmation token available via preference

MSA-24-0052: Tag index page displays other users tagged with the selected tag

de Michael Hawkins -

Insufficient checks meant users could see users tagged with a tag, regardless of whether they had access to view the users' profiles.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Frederik Milling Pytlick
CVE identifier: CVE-2024-55644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82963
Tracker issue: MDL-82963 Tag index page displays other users tagged with the selected tag

MSA-24-0051: Unprotected access to sensitive information via learning plan web service

de Michael Hawkins -

Insufficient capability checks in a learning plan web service could result in users having the ability to retrieve information they did not have permission to access (such as users' names).

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: lUcgryy
CVE identifier: CVE-2024-55643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83921
Tracker issue: MDL-83921 Unprotected access to sensitive information via learning plan web service

MSA-24-0050: IDOR when fetching report schedules

de Michael Hawkins -

Additional checks were required to ensure users can only access the schedule of a report if they have permission to edit that report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48901
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83180
Tracker issue: MDL-83180 IDOR when fetching report schedules

MSA-24-0049: IDOR when accessing list of badge recipients

de Michael Hawkins -

Additional checks were required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48900
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83178
Tracker issue: MDL-83178 IDOR when accessing list of badge recipients

MSA-24-0048: IDOR when accessing list of course badges

de Michael Hawkins -

Additional checks were required to ensure users can only fetch the list of course badges for courses they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48899
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83179
Tracker issue: MDL-83179 IDOR when accessing list of course badges

MSA-24-0047: Some users can delete audiences of other reports

de Michael Hawkins -

Users with access to delete audiences from some reports could delete audiences from other reports they did not have permission to delete from.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48898
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83181
Tracker issue: MDL-83181 Some users can delete audiences of other reports