Security announcements

JavaScript “Pollykill” Vulnerability

par Matt Porritt,

Hi All,

Some of you may have seen from various outlets that a vulnerability has been identified in the “polyfill.js” library and particularly the hosted version of that library (cdn.polyfill.io). This is a popular open source library that is used in many sites to add various javascript support features to older web browsers. 

In light of this new vulnerability we have conducted a review of our Moodle products, associated moodle.org and moodle.com sites as well as our Moodle Cloud sites. We can confirm that our systems are not affected by this issue. We do not use this library in our product codebase or in the code of our company sites.

As a point of clarification the Moodle LMS codebase does include a file named `polyfill.js`, which might raise concerns due to the similarity in names. However, we assure you that this file is entirely unrelated to the vulnerability identified, and is just a coincidence.

We take security very seriously. Our team continuously monitors for new threats and vulnerabilities, ensuring that our products remain secure and reliable. We have robust processes in place to assess and mitigate any potential risks swiftly and effectively.

More information on this exploit can be found at https://polykill.io/ and this Sansec article provides a good overview.

Kind Regards,
Matt Porritt
Head of Platform Solutions.

MSA-24-0025: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

par Michael Hawkins,

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Juan Leyva
CVE identifier: CVE-2024-38277
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959
Tracker issue: MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

MSA-24-0024: CSRF risks due to misuse of confirm_sesskey

par Michael Hawkins,

Incorrect CSRF token checks resulted in multiple CSRF risks.

Severity/Risk: Serious
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-38276
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890
Tracker issue: MDL-81890 CSRF risks due to misuse of confirm_sesskey

MSA-24-0023: HTTP authorization header is preserved between "emulated redirects"

par Michael Hawkins,

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: cameron1729
CVE identifier: CVE-2024-38275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774
Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects"

MSA-24-0022: Stored XSS via calendar's event title when deleting the event

par Michael Hawkins,

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Meirza
CVE identifier: CVE-2024-38274
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412
Tracker issue: MDL-81412 Stored XSS via calendar's event title when deleting the event

MSA-24-0021: BigBlueButton web service leaks meeting joining information to users who should not have access

par Michael Hawkins,

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Paul Holden
CVE identifier: CVE-2024-38273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778
Tracker issue: MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access

MSA-24-0020: ReCAPTCHA can be bypassed on the login page

par Michael Hawkins,

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: caglaroflazoglu
CVE identifier: CVE-2024-34009
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Tracker issue: MDL-81463 ReCAPTCHA can be bypassed on the login page

MSA-24-0019: CSRF risk in analytics management of models

par Michael Hawkins,

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34008
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Tracker issue: MDL-81059 CSRF risk in analytics management of models

MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php

par Michael Hawkins,

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-34007
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Tracker issue: MDL-80877 Logout CSRF in admin/tool/mfa/auth.php

MSA-24-0017: Unsanitized HTML in site log for config_log_created

par Michael Hawkins,

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Leon Stringer
CVE identifier: CVE-2024-34006
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Tracker issue: MDL-80585 Unsanitized HTML in site log for config_log_created