Security announcements

MSA-24-0044: Lesson activity password bypass through PHP loose comparison

by Michael Hawkins -

When restricting access to a Lesson activity with a password, certain passwords could be bypassed/less secure due to a loose comparison in the password checking logic.

Note: this only affected passwords that are set to "magic hash" values. These are certain values where a loose comparison in the code can result in multiple values "matching" the password, instead of the expected behaviour that only an exact match for the password will be accepted.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: TaiYou
Workaround: Avoid using passwords which are considered to be a "magic hash" value (such as those beginning with "0e" followed by digits).
CVE identifier: CVE-2024-45691
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82365
Tracker issue: MDL-82365 Lesson activity password bypass through PHP loose comparison

MSA-24-0043: IDOR when deleting OAuth2 linked accounts

by Michael Hawkins -

Additional checks were required to ensure users can only delete their own OAuth2 linked accounts.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: Trevor McCready
CVE identifier: CVE-2024-45690
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76962
Tracker issue: MDL-76962 IDOR when deleting OAuth2 linked accounts

MSA-24-0042: Unprotected access to sensitive information via dynamic tables

by Michael Hawkins -

Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

Note: Please check the information at the bottom of this announcement for important information related to this fix.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: Frédéric Massart
CVE identifier: CVE-2024-45689
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82567
Tracker issue: MDL-82567 Unprotected access to sensitive information via dynamic tables

The following is important information about this fix, which includes some action items that may be necessary on your site to ensure continued functionality of dynamic tables:

  • This vulnerability potentially affects all dynamic tables, so the fix implements a new method which forces a capability check.
  • By default, the patches released for Moodle 4.4, 4.3, 4.2 and 4.1 implement a default check which restricts all dynamic tables to admin access only (moodle/site:config capability), to ensure any third party code is also automatically protected.
  • Any dynamic tables (classes implementing core_table\dynamic) which require access by non-admins will need to be updated in the code to implement the new ::has_capability() method.
  • From Moodle 4.5, that default will be removed and the ::has_capability() method will become compulsory for dynamic tables (defined in the interface), so if you have any plugins/customisations that include classes implementing core_table\dynamic, those classes will need to be updated to implement the new method. Any dynamic tables without that implementation will trigger a fatal error and fail to load from Moodle 4.5 onwards.
  • The fixes for this issue update all core LMS dynamic tables, so you can refer to those for examples of how to implement this.
  • If your Moodle site(s) do not use any custom/third party code which implements core_table\dynamic, you just need to upgrade your site to the latest minor version (or apply the patch), no further action is required.

MSA-24-0041: LFI vulnerability when restoring malformed block backups

by Michael Hawkins -

A local file include risk when restoring block backups was identified.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43440
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82392
Tracker issue: MDL-82392 LFI vulnerability when restoring malformed block backups

MSA-24-0040: Reflected XSS via H5P error message

by Michael Hawkins -

H5P error messages required additional sanitizing to prevent a reflected XSS risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TeHoFu
CVE identifier: CVE-2024-43439
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82558
Tracker issue: MDL-82558 Reflected XSS via H5P error message

MSA-24-0039: IDOR in Feedback non-respondents report allows messaging arbitrary site users

by Michael Hawkins -

Bulk messaging in the Feedback activity's non-respondents report did not verify message recipients belong to the set of users returned by the report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43438
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82261
Tracker issue: MDL-82261 IDOR in Feedback non-respondents report allows messaging arbitrary site users

MSA-24-0038: XSS risk when restoring malicious course backup file

by Michael Hawkins -

Insufficient sanitizing of data when performing a restore could result in an XSS risk from malicious backup files.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Adam Chovanec
CVE identifier: CVE-2024-43437
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81394
Tracker issue: MDL-81394 XSS risk when restoring malicious course backup file

MSA-24-0037: Site administration SQL injection via XMLDB editor

by Michael Hawkins -

An SQL injection risk was identified in the XMLDB editor tool available to site administrators

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TaiYou
CVE identifier: CVE-2024-43436
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82395
Tracker issue: MDL-82395 Site administration SQL injection via XMLDB editor

MSA-24-0036: Can create global glossary without being admin

by Michael Hawkins -

Insufficient capability checks made it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Robert Schrenk
CVE identifier: CVE-2024-43435
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64984
Tracker issue: MDL-64984 Can create global glossary without being admin

MSA-24-0035: CSRF risk in Feedback non-respondents report

by Michael Hawkins -

The bulk message sending feature for the Feedback module's non-respondents report had an incorrect CSRF token check, resulting in a CSRF risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43434
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82262
Tracker issue: MDL-82262 CSRF risk in Feedback non-respondents report