Security announcements

MSA-23-0030: Quiz sequential navigation bypass possible

de Michael Hawkins -

Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Abhijit A M
CVE identifier: CVE-2023-40325
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728
Tracker issue: MDL-71728 Quiz sequential navigation bypass possible

MSA-23-0029: Competency framework tools are not restricted as intended

de Michael Hawkins -

Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Michael Hawkins
CVE identifier: CVE-2023-40324
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66212
Tracker issue: MDL-66212 Competency framework tools are not restricted as intended

MSA-23-0028: Open redirect risk on admin view all policies page

de Michael Hawkins -

The admin view all policies page URL required additional sanitizing to prevent an open redirect risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Darko Miletic
CVE identifier: CVE-2023-40323
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78763
Tracker issue: MDL-78763 Open redirect risk on admin view all policies page

MSA-23-0027: JQuery UI library upgraded to 1.13.2 (upstream)

de Michael Hawkins -

The JQuery UI library included with Moodle has been upgraded to version 1.13.2, which includes fixes for security issues.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 3.11.16 and 3.9.23
Reported by: Wolf Ventir
CVE identifier: CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 and CVE-2021-41182
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74544
Tracker issue: MDL-74544 JQuery UI library upgraded to 1.13.2 (upstream)

MSA-23-0026: IDOR in message processor fragments allows fetching of other users' data

de Michael Hawkins -

Insufficient capability checks made it possible to fetch other users' message processor preferences data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier: CVE-2023-40322
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792
Tracker issue: MDL-78792 IDOR in message processor fragments allows fetching of other users' data

MSA-23-0025: phpCAS library upgraded to 1.6.0 (upstream)

de Michael Hawkins -

The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.0.10, 3.11.16 and 3.9.23
Reported by: Julien Boulen
CVE identifier: CVE-2022-39369
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620
Tracker issue: MDL-78620 phpCAS library upgraded to 1.6.0 (upstream)

MSA-23-0024: Private course participant data available from external grade report method

de Michael Hawkins -

Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
CVE identifier: CVE-2023-40321
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871
Tracker issue: MDL-78871 Private course participant data available from external grade report method

MSA-23-0023: Stored self-XSS escalated to stored XSS via OAuth 2 login

de Michael Hawkins -

It was possible to escalate stored self-XSS to stored XSS where users login via OAuth 2.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-40320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78685
Tracker issue: MDL-78685 Stored self-XSS escalated to stored XSS via OAuth 2 login

MSA-23-0022: SQL injection risk in grader report sorting

de Michael Hawkins -

An SQL injection risk was identified in the grader report sorting.

(Note: By default the capability to access this page is only available to teachers, non-editing teachers and managers.)

Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
Workaround: Remove access to the gradereport/grader:view capability until the patch has been applied.
CVE identifier: CVE-2023-40319
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78790
Tracker issue: MDL-78790 SQL injection risk in grader report sorting

MSA-23-0021: Some block permissions on Dashboard not respected

de Michael Hawkins -

Permission overrides on individual blocks in the system dashboard did not cascade to user dashboards.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Bas Harkink
CVE identifier: CVE-2023-40318
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78340
Tracker issue: MDL-78340 Some block permissions on Dashboard not respected