Security announcements

MSA-24-0020: ReCAPTCHA can be bypassed on the login page

Nosūtīja Michael Hawkins

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: caglaroflazoglu
CVE identifier: CVE-2024-34009
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Tracker issue: MDL-81463 ReCAPTCHA can be bypassed on the login page

MSA-24-0019: CSRF risk in analytics management of models

Nosūtīja Michael Hawkins

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34008
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Tracker issue: MDL-81059 CSRF risk in analytics management of models

MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php

Nosūtīja Michael Hawkins

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-34007
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Tracker issue: MDL-80877 Logout CSRF in admin/tool/mfa/auth.php

MSA-24-0017: Unsanitized HTML in site log for config_log_created

Nosūtīja Michael Hawkins

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Leon Stringer
CVE identifier: CVE-2024-34006
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Tracker issue: MDL-80585 Unsanitized HTML in site log for config_log_created

MSA-24-0016: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

Nosūtīja Michael Hawkins

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34005
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81267
Tracker issue: MDL-81267 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

MSA-24-0015: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

Nosūtīja Michael Hawkins

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34004
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81284
Tracker issue: MDL-81284 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

MSA-24-0014: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup

Nosūtīja Michael Hawkins

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34003
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80712
Tracker issue: MDL-80712 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup

MSA-24-0013: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

Nosūtīja Michael Hawkins

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34002
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81135
Tracker issue: MDL-81135 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

MSA-24-0012: CSRF risk in admin preset tool management of presets

Nosūtīja Michael Hawkins

Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34001
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81058
Tracker issue: MDL-81058 CSRF risk in admin preset tool management of presets

MSA-24-0011: Stored XSS in lesson overview report via user ID number

Nosūtīja Michael Hawkins

ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34000
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81062
Tracker issue: MDL-81062 Stored XSS in lesson overview report via user ID number