Security announcements

MSA-24-0050: IDOR when fetching report schedules

ni Michael Hawkins -

Additional checks were required to ensure users can only access the schedule of a report if they have permission to edit that report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48901
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83180
Tracker issue: MDL-83180 IDOR when fetching report schedules

MSA-24-0049: IDOR when accessing list of badge recipients

ni Michael Hawkins -

Additional checks were required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48900
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83178
Tracker issue: MDL-83178 IDOR when accessing list of badge recipients

MSA-24-0048: IDOR when accessing list of course badges

ni Michael Hawkins -

Additional checks were required to ensure users can only fetch the list of course badges for courses they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48899
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83179
Tracker issue: MDL-83179 IDOR when accessing list of course badges

MSA-24-0047: Some users can delete audiences of other reports

ni Michael Hawkins -

Users with access to delete audiences from some reports could delete audiences from other reports they did not have permission to delete from.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48898
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83181
Tracker issue: MDL-83181 Some users can delete audiences of other reports

MSA-24-0046: IDOR in edit/delete RSS feed

ni Michael Hawkins -

Additional checks were required to ensure users can only edit or delete RSS feeds they have permission to modify.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Paul Holden
CVE identifier: CVE-2024-48897
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82386
Tracker issue: MDL-82386 IDOR in edit/delete RSS feed

MSA-24-0045: Users' names returned in messaging error message

ni Michael Hawkins -

It was possible for users with the "send message" capability to view other users' names they may not otherwise have access to, via an error message in Messaging. (Note: The name returned followed the full name format configured on the site).

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Bruno Kirschner (Recurity Labs)
CVE identifier: CVE-2024-48896
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83352
Tracker issue: MDL-83352 Users' names returned in messaging error message

MSA-24-0044: Lesson activity password bypass through PHP loose comparison

ni Michael Hawkins -

When restricting access to a Lesson activity with a password, certain passwords could be bypassed/less secure due to a loose comparison in the password checking logic.

Note: this only affected passwords that are set to "magic hash" values. These are certain values where a loose comparison in the code can result in multiple values "matching" the password, instead of the expected behaviour that only an exact match for the password will be accepted.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: TaiYou
Workaround: Avoid using passwords which are considered to be a "magic hash" value (such as those beginning with "0e" followed by digits).
CVE identifier: CVE-2024-45691
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82365
Tracker issue: MDL-82365 Lesson activity password bypass through PHP loose comparison

MSA-24-0043: IDOR when deleting OAuth2 linked accounts

ni Michael Hawkins -

Additional checks were required to ensure users can only delete their own OAuth2 linked accounts.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: Trevor McCready
CVE identifier: CVE-2024-45690
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76962
Tracker issue: MDL-76962 IDOR when deleting OAuth2 linked accounts

MSA-24-0042: Unprotected access to sensitive information via dynamic tables

ni Michael Hawkins -

Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

Note: Please check the information at the bottom of this announcement for important information related to this fix.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: Frédéric Massart
CVE identifier: CVE-2024-45689
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82567
Tracker issue: MDL-82567 Unprotected access to sensitive information via dynamic tables

The following is important information about this fix, which includes some action items that may be necessary on your site to ensure continued functionality of dynamic tables:

  • This vulnerability potentially affects all dynamic tables, so the fix implements a new method which forces a capability check.
  • By default, the patches released for Moodle 4.4, 4.3, 4.2 and 4.1 implement a default check which restricts all dynamic tables to admin access only (moodle/site:config capability), to ensure any third party code is also automatically protected.
  • Any dynamic tables (classes implementing core_table\dynamic) which require access by non-admins will need to be updated in the code to implement the new ::has_capability() method.
  • From Moodle 4.5, that default will be removed and the ::has_capability() method will become compulsory for dynamic tables (defined in the interface), so if you have any plugins/customisations that include classes implementing core_table\dynamic, those classes will need to be updated to implement the new method. Any dynamic tables without that implementation will trigger a fatal error and fail to load from Moodle 4.5 onwards.
  • The fixes for this issue update all core LMS dynamic tables, so you can refer to those for examples of how to implement this.
  • If your Moodle site(s) do not use any custom/third party code which implements core_table\dynamic, you just need to upgrade your site to the latest minor version (or apply the patch), no further action is required.

MSA-24-0041: LFI vulnerability when restoring malformed block backups

ni Michael Hawkins -

A local file include risk when restoring block backups was identified.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43440
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82392
Tracker issue: MDL-82392 LFI vulnerability when restoring malformed block backups