Security announcements

MSA-23-0015: Minor SQL injection risk in external Wiki method for listing pages

Nosūtīja Michael Hawkins

A limited SQL injection risk was identified in functionality used by the Wiki activity when listing pages.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13, 3.9 to 3.9.20 and earlier unsupported versions
Versions fixed: 4.1.3, 4.0.8, 3.11.14 and 3.9.21
Reported by: Paul Holden
CVE identifier: CVE-2023-30944
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187
Tracker issue: MDL-77187 Minor SQL injection risk in external Wiki method for listing pages
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0014: TinyMCE loaders susceptible to Arbitrary Folder Creation

Nosūtīja Michael Hawkins

Insufficient sanitizing of loaders used by TinyMCE resulted in an arbitrary folder creation risk.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.2
Versions fixed: 4.1.3
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-30943
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
Tracker issue: MDL-77718 TinyMCE loaders susceptible to Arbitrary Folder Creation
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0013: XSS risk in TinyMCE alerts (upstream)

Nosūtīja Michael Hawkins

The TinyMCE editor included with Moodle required a security patch to be applied to fix an XSS risk.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1
Versions fixed: 4.1.2
Reported by: Andrew Lyons
CVE identifier: CVE-2022-23494
Changes (master): N/A
Tracker issue: MDL-77470 XSS risk in TinyMCE alerts (upstream)
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0012: Course participation report shows roles the user should not see

Nosūtīja Michael Hawkins

The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Chris Pratt
CVE identifier: CVE-2023-1402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75517
Tracker issue: MDL-75517 Course participation report shows roles the user should not see
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0011: Teacher can access names of users they do not have permission to access

Nosūtīja Michael Hawkins

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: DegrangeM
CVE identifier: CVE-2023-28336
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76809
Tracker issue: MDL-76809 Teacher can access names of users they do not have permission to access
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0010: CSRF risk in resetting all templates of a database activity

Nosūtīja Michael Hawkins

The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1
Versions fixed: 4.1.2
Reported by: DegrangeM
CVE identifier: CVE-2023-28335
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77008
Tracker issue: MDL-77008 CSRF risk in resetting all templates of a database activity
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0009: Users' name enumeration possible via IDOR on learning plans page

Nosūtīja Michael Hawkins

Authenticated users were able to enumerate other users' names via the learning plans page.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1 and 4.0 to 4.0.6
Versions fixed: 4.1.2 and 4.0.7
Reported by: Paul Holden
CVE identifier: CVE-2023-28334
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77129
Tracker issue: MDL-77129 Users' name enumeration possible via IDOR on learning plans page
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0008: Pix helper potential Mustache code injection risk

Nosūtīja Michael Hawkins

The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Lars Bonczek
CVE identifier: CVE-2023-28333
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75659
Tracker issue: MDL-75659 Pix helper potential Mustache code injection risk
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0007: Algebra filter XSS when filter is misconfigured

Nosūtīja Michael Hawkins

If the algebra filter was enabled but not functional (eg the necessary binaries were missing from the server), it presented an XSS risk.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Petr Skoda
Workaround: Ensure that if the algebra filter is enabled, it is correctly configured and functional (otherwise, ensure it is disabled).
CVE identifier: CVE-2023-28332
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77524
Tracker issue: MDL-77524 Algebra filter XSS when filter is misconfigured
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0006: XSS risk when outputting database activity filter data

Nosūtīja Michael Hawkins

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Petr Skoda
Workaround: Disable the database auto-linking filter until the patch has been applied.
CVE identifier: CVE-2023-28331
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76645
Tracker issue: MDL-76645 XSS risk when outputting database activity filter data
Apspriest šo tēmu  (Līdz šim 0 atbildes)