Security announcements

JavaScript “Pollykill” Vulnerability

- Matt Porritt の投稿

Hi All,

Some of you may have seen from various outlets that a vulnerability has been identified in the “polyfill.js” library and particularly the hosted version of that library (cdn.polyfill.io). This is a popular open source library that is used in many sites to add various javascript support features to older web browsers. 

In light of this new vulnerability we have conducted a review of our Moodle products, associated moodle.org and moodle.com sites as well as our Moodle Cloud sites. We can confirm that our systems are not affected by this issue. We do not use this library in our product codebase or in the code of our company sites.

As a point of clarification the Moodle LMS codebase does include a file named `polyfill.js`, which might raise concerns due to the similarity in names. However, we assure you that this file is entirely unrelated to the vulnerability identified, and is just a coincidence.

We take security very seriously. Our team continuously monitors for new threats and vulnerabilities, ensuring that our products remain secure and reliable. We have robust processes in place to assess and mitigate any potential risks swiftly and effectively.

More information on this exploit can be found at https://polykill.io/ and this Sansec article provides a good overview.

Kind Regards,
Matt Porritt
Head of Platform Solutions.

このトピックを読む  (現在の返信数: 0)

MSA-24-0025: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

- Michael Hawkins の投稿

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Juan Leyva
CVE identifier: CVE-2024-38277
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959
Tracker issue: MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
このトピックを読む  (現在の返信数: 0)

MSA-24-0024: CSRF risks due to misuse of confirm_sesskey

- Michael Hawkins の投稿

Incorrect CSRF token checks resulted in multiple CSRF risks.

Severity/Risk: Serious
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-38276
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890
Tracker issue: MDL-81890 CSRF risks due to misuse of confirm_sesskey
このトピックを読む  (現在の返信数: 0)

MSA-24-0023: HTTP authorization header is preserved between "emulated redirects"

- Michael Hawkins の投稿

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: cameron1729
CVE identifier: CVE-2024-38275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774
Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects"
このトピックを読む  (現在の返信数: 0)

MSA-24-0022: Stored XSS via calendar's event title when deleting the event

- Michael Hawkins の投稿

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Meirza
CVE identifier: CVE-2024-38274
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412
Tracker issue: MDL-81412 Stored XSS via calendar's event title when deleting the event
このトピックを読む  (現在の返信数: 0)

MSA-24-0021: BigBlueButton web service leaks meeting joining information to users who should not have access

- Michael Hawkins の投稿

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Paul Holden
CVE identifier: CVE-2024-38273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778
Tracker issue: MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access
このトピックを読む  (現在の返信数: 0)

MSA-24-0020: ReCAPTCHA can be bypassed on the login page

- Michael Hawkins の投稿

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: caglaroflazoglu
CVE identifier: CVE-2024-34009
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Tracker issue: MDL-81463 ReCAPTCHA can be bypassed on the login page
このトピックを読む  (現在の返信数: 0)

MSA-24-0019: CSRF risk in analytics management of models

- Michael Hawkins の投稿

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34008
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Tracker issue: MDL-81059 CSRF risk in analytics management of models
このトピックを読む  (現在の返信数: 0)

MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php

- Michael Hawkins の投稿

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-34007
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Tracker issue: MDL-80877 Logout CSRF in admin/tool/mfa/auth.php
このトピックを読む  (現在の返信数: 0)

MSA-24-0017: Unsanitized HTML in site log for config_log_created

- Michael Hawkins の投稿

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Leon Stringer
CVE identifier: CVE-2024-34006
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Tracker issue: MDL-80585 Unsanitized HTML in site log for config_log_created
このトピックを読む  (現在の返信数: 0)