Security announcements

MSA-24-0006: IDOR on dashboard comments block

Michael Hawkins

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (eg on their profile page).


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: BA7MAN
CVE identifier: CVE-2024-25983
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300
Tracker issue: MDL-78300 IDOR on dashboard comments block
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-24-0005: CSRF risk in Language import utility

Michael Hawkins

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Panagiotis Petasis
CVE identifier: CVE-2024-25982
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749
Tracker issue: MDL-54749 CSRF risk in Language import utility
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-24-0004: Forum export did not respect activity group settings

Michael Hawkins

Separate Groups mode restrictions were not honoured when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Leon Stringer
CVE identifier: CVE-2024-25981
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80504
Tracker issue: MDL-80504 Forum export did not respect activity group settings
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-24-0003: H5P attempts report did not respect activity group settings

Michael Hawkins

Separate Groups mode restrictions were not honoured in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Leon Stringer
CVE identifier: CVE-2024-25980
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501
Tracker issue: MDL-80501 H5P attempts report did not respect activity group settings
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-24-0002: Forum search accepted random parameters in its URL

Michael Hawkins

The URL parameters accepted by forum search were not limited to the allowed parameters.


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Piotr Widak
CVE identifier: CVE-2024-25979
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69774
Tracker issue: MDL-69774 Forum search accepted random parameters in its URL
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-24-0001: Denial of service risk in file picker unzip functionality

Michael Hawkins

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.


Severity/Risk: Serious
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Sam Ezeh
CVE identifier: CVE-2024-25978
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74641
Tracker issue: MDL-74641 Denial of service risk in file picker unzip functionality
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-23-0053: Reflected XSS risk on ad-hoc tasks page

Michael Hawkins

The "classname" parameter on the admin ad-hoc tasks page required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.3 and 4.2 to 4.2.3
Versions fixed: 4.3.1 and 4.2.4
Reported by: Paul Holden
CVE identifier: CVE-2023-6670
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79839
Tracker issue: MDL-79839 Reflected XSS risk on ad-hoc tasks page
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-23-0052: XSS risk when manually running a task in the admin UI

Michael Hawkins

The mtrace output when running a task in the admin UI required additional sanitizing to prevent an XSS risk.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Brendan Heywood
CVE identifier: CVE-2023-6669
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80309
Tracker issue: MDL-80309 XSS risk when manually running a task in the admin UI
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-23-0051: Badge recipients are available to all users

Michael Hawkins

Insufficient capability checks meant it was possible for all users to view the recipients of badges.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Sara Arjona (@sarjona)
CVE identifier: CVE-2023-6668
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80268
Tracker issue: MDL-80268 Badge recipients are available to all users
Arutle sellel teemal  (Praeguseks 0 vastust)

MSA-23-0050: Survey responses did not respect group settings

Michael Hawkins

Separate Groups mode restrictions were not honoured in survey response reports, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Leon Stringer
CVE identifier: CVE-2023-6667
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79980
Tracker issue: MDL-79980 Survey responses did not respect group settings
Arutle sellel teemal  (Praeguseks 0 vastust)