Security announcements

MSA-24-0025: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

- Michael Hawkins の投稿

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Juan Leyva
CVE identifier: CVE-2024-38277
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959
Tracker issue: MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

MSA-24-0024: CSRF risks due to misuse of confirm_sesskey

- Michael Hawkins の投稿

Incorrect CSRF token checks resulted in multiple CSRF risks.

Severity/Risk: Serious
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-38276
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890
Tracker issue: MDL-81890 CSRF risks due to misuse of confirm_sesskey

MSA-24-0023: HTTP authorization header is preserved between "emulated redirects"

- Michael Hawkins の投稿

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: cameron1729
CVE identifier: CVE-2024-38275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774
Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects"

MSA-24-0022: Stored XSS via calendar's event title when deleting the event

- Michael Hawkins の投稿

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Meirza
CVE identifier: CVE-2024-38274
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412
Tracker issue: MDL-81412 Stored XSS via calendar's event title when deleting the event

MSA-24-0021: BigBlueButton web service leaks meeting joining information to users who should not have access

- Michael Hawkins の投稿

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Paul Holden
CVE identifier: CVE-2024-38273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778
Tracker issue: MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access

MSA-24-0020: ReCAPTCHA can be bypassed on the login page

- Michael Hawkins の投稿

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: caglaroflazoglu
CVE identifier: CVE-2024-34009
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Tracker issue: MDL-81463 ReCAPTCHA can be bypassed on the login page

MSA-24-0019: CSRF risk in analytics management of models

- Michael Hawkins の投稿

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34008
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Tracker issue: MDL-81059 CSRF risk in analytics management of models

MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php

- Michael Hawkins の投稿

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-34007
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Tracker issue: MDL-80877 Logout CSRF in admin/tool/mfa/auth.php

MSA-24-0017: Unsanitized HTML in site log for config_log_created

- Michael Hawkins の投稿

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Leon Stringer
CVE identifier: CVE-2024-34006
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Tracker issue: MDL-80585 Unsanitized HTML in site log for config_log_created

MSA-24-0016: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

- Michael Hawkins の投稿

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34005
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81267
Tracker issue: MDL-81267 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup