Security announcements

MSA-23-0043: Forum summary report shows students from other groups when in Separate Groups mode

di Michael Hawkins -

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Fabián Glagovsky
CVE identifier: CVE-2023-5551
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310
Tracker issue: MDL-79310 Forum summary report shows students from other groups when in Separate Groups mode

MSA-23-0042: RCE due to LFI risk in some misconfigured shared hosting environments

di Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: 0xkasper
CVE identifier: CVE-2023-5550
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249
Tracker issue: MDL-72249 RCE due to LFI risk in some misconfigured shared hosting environments

MSA-23-0041: Insufficient capability checks when updating the parent of a course category

di Michael Hawkins -

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Erica Bithell
CVE identifier: CVE-2023-5549
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730
Tracker issue: MDL-66730 Insufficient capability checks when updating the parent of a course category

MSA-23-0040: Make file serving endpoints revision control stricter

di Michael Hawkins -

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-5548
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846
Tracker issue: MDL-77846 Make file serving endpoints revision control stricter

MSA-23-0039: XSS risk when previewing data in course upload tool

di Michael Hawkins -

The course upload preview contained an XSS risk for users uploading unsafe data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Paul Holden
Workaround: Verify the contents and trustworthiness of course data before uploading it.
CVE identifier: CVE-2023-5547
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79455
Tracker issue: MDL-79455 XSS risk when previewing data in course upload tool

MSA-23-0038: Stored XSS in quiz grading report via user ID number

di Michael Hawkins -

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Paul Holden
CVE identifier: CVE-2023-5546
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78971
Tracker issue: MDL-78971 Stored XSS in quiz grading report via user ID number

MSA-23-0037: Auto-populated H5P author name causes a potential information leak

di Michael Hawkins -

H5P metadata automatically populated the author with the user's username, which could be sensitive information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Josh Manders
CVE identifier: CVE-2023-5545
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820
Tracker issue: MDL-78820 Auto-populated H5P author name causes a potential information leak

MSA-23-0036: Stored XSS and potential IDOR risk in Wiki comments

di Michael Hawkins -

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: h1w0rld
CVE identifier: CVE-2023-5544
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509
Tracker issue: MDL-79509 Stored XSS and potential IDOR risk in Wiki comments

MSA-23-0035: Duplicating a BigBlueButton activity assigns the same meeting ID

di Michael Hawkins -

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Lionel Caylat
Workaround: Manually create a fresh BigBlueButton activity instead of duplicating, until the patch has been applied.
CVE identifier: CVE-2023-5543
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795
Tracker issue: MDL-77795 Duplicating a BigBlueButton activity assigns the same meeting ID

MSA-23-0034: Students could see other students in "Only see own membership" groups

di Michael Hawkins -

Students in "Only see own membership" groups could see other students in the group, which should be hidden.


Severity/Risk: Minor
Versions affected: 4.2.2
Versions fixed: 4.2.3
Reported by: Eliot
CVE identifier: CVE-2023-5542
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213
Tracker issue: MDL-79213 Students could see other students in "Only see own membership" groups