The grader report search required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 and 4.2 to 4.2.3 |
| Versions fixed: | 4.3.1 and 4.2.4 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2023-6666 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80287 |
| Tracker issue: | MDL-80287 Reflected XSS risk in grader report search |
ID numbers displayed in the grader report required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 and 4.2 to 4.2.3 |
| Versions fixed: | 4.3.1 and 4.2.4 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2023-6665 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80239 |
| Tracker issue: | MDL-80239 Stored XSS in grader report via user ID number |
Separate Groups mode restrictions were not honoured in the Logs and Live logs course reports, which would display users from other groups.
| Severity/Risk: | Minor |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Ankit Agarwal |
| CVE identifier: | CVE-2023-6664 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41465 |
| Tracker issue: | MDL-41465 Logs and Live logs course reports did not respect activity group settings |
A remote code execution risk was identified in course blocks. By default this was only available to teachers and managers.
| Severity/Risk: | Serious |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2023-6663 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79797 |
| Tracker issue: | MDL-79797 Authenticated remote code execution risk in course blocks |
Insufficient recursion limitations resulted in a denial of service risk in the URL downloader.
| Severity/Risk: | Serious |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | herocharge |
| CVE identifier: | CVE-2023-6662 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79759 |
| Tracker issue: | MDL-79759 DOS risk in URL downloader |
A remote code execution risk was identified in logstore. By default this was only available to managers.
| Severity/Risk: | Serious |
| Versions affected: | 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions |
| Versions fixed: | 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2023-6661 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80174 |
| Tracker issue: | MDL-80174 Authenticated remote code execution risk in logstore as manager |
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.
| Severity/Risk: | Minor |
| Versions affected: | 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions |
| Versions fixed: | 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 |
| Reported by: | Fabián Glagovsky |
| CVE identifier: | CVE-2023-5551 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310 |
| Tracker issue: | MDL-79310 Forum summary report shows students from other groups when in Separate Groups mode |
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.
| Severity/Risk: | Serious |
| Versions affected: | 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions |
| Versions fixed: | 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2023-5550 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249 |
| Tracker issue: | MDL-72249 RCE due to LFI risk in some misconfigured shared hosting environments |
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.
| Severity/Risk: | Minor |
| Versions affected: | 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions |
| Versions fixed: | 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 |
| Reported by: | Erica Bithell |
| CVE identifier: | CVE-2023-5549 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730 |
| Tracker issue: | MDL-66730 Insufficient capability checks when updating the parent of a course category |
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.
| Severity/Risk: | Minor |
| Versions affected: | 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions |
| Versions fixed: | 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 |
| Reported by: | Yaniv Nizry (SonarSource) |
| CVE identifier: | CVE-2023-5548 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846 |
| Tracker issue: | MDL-77846 Make file serving endpoints revision control stricter |