Security announcements

MSA-23-0030: Quiz sequential navigation bypass possible

Michael Hawkins

Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Abhijit A M
CVE identifier: CVE-2023-40325
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728
Tracker issue: MDL-71728 Quiz sequential navigation bypass possible
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0029: Competency framework tools are not restricted as intended

Michael Hawkins

Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Michael Hawkins
CVE identifier: CVE-2023-40324
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66212
Tracker issue: MDL-66212 Competency framework tools are not restricted as intended
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0028: Open redirect risk on admin view all policies page

Michael Hawkins

The admin view all policies page URL required additional sanitizing to prevent an open redirect risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Darko Miletic
CVE identifier: CVE-2023-40323
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78763
Tracker issue: MDL-78763 Open redirect risk on admin view all policies page
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0027: JQuery UI library upgraded to 1.13.2 (upstream)

Michael Hawkins

The JQuery UI library included with Moodle has been upgraded to version 1.13.2, which includes fixes for security issues.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 3.11.16 and 3.9.23
Reported by: Wolf Ventir
CVE identifier: CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 and CVE-2021-41182
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74544
Tracker issue: MDL-74544 JQuery UI library upgraded to 1.13.2 (upstream)
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0026: IDOR in message processor fragments allows fetching of other users' data

Michael Hawkins

Insufficient capability checks made it possible to fetch other users' message processor preferences data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier: CVE-2023-40322
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792
Tracker issue: MDL-78792 IDOR in message processor fragments allows fetching of other users' data
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0025: phpCAS library upgraded to 1.6.0 (upstream)

Michael Hawkins

The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.0.10, 3.11.16 and 3.9.23
Reported by: Julien Boulen
CVE identifier: CVE-2022-39369
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620
Tracker issue: MDL-78620 phpCAS library upgraded to 1.6.0 (upstream)
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0024: Private course participant data available from external grade report method

Michael Hawkins

Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
CVE identifier: CVE-2023-40321
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871
Tracker issue: MDL-78871 Private course participant data available from external grade report method
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0023: Stored self-XSS escalated to stored XSS via OAuth 2 login

Michael Hawkins

It was possible to escalate stored self-XSS to stored XSS where users login via OAuth 2.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-40320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78685
Tracker issue: MDL-78685 Stored self-XSS escalated to stored XSS via OAuth 2 login
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0022: SQL injection risk in grader report sorting

Michael Hawkins

An SQL injection risk was identified in the grader report sorting.

(Note: By default the capability to access this page is only available to teachers, non-editing teachers and managers.)

Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
Workaround: Remove access to the gradereport/grader:view capability until the patch has been applied.
CVE identifier: CVE-2023-40319
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78790
Tracker issue: MDL-78790 SQL injection risk in grader report sorting
이 주제에 대해 토론하기  (올라온 답글들 0)

MSA-23-0021: Some block permissions on Dashboard not respected

Michael Hawkins

Permission overrides on individual blocks in the system dashboard did not cascade to user dashboards.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Bas Harkink
CVE identifier: CVE-2023-40318
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78340
Tracker issue: MDL-78340 Some block permissions on Dashboard not respected
이 주제에 대해 토론하기  (올라온 답글들 0)