Additional localstorage validation was required to mitigate a cache poisoning risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions |
| Versions fixed: | 4.4.2, 4.3.6, 4.2.9 and 4.1.12 |
| Reported by: | Andrew Lyons |
| CVE identifier: | CVE-2024-43428 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81718 |
| Tracker issue: | MDL-81718 Cache poisoning via injection into storage |
When creating an export of site administration presets, some sensitive secrets/keys were not being excluded from the export, which could result in them being unintentionally leaked if the presets were shared with a third party.
| Severity/Risk: | Minor |
| Versions affected: | 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions |
| Versions fixed: | 4.4.2, 4.3.6, 4.2.9 and 4.1.12 |
| Reported by: | Paul Holden |
| Workaround: | Avoid exporting or distributing admin presets until the patch is applied. |
| CVE identifier: | CVE-2024-43427 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79373 |
| Tracker issue: | MDL-79373 Admin presets export tool includes some secrets that should not be exported |
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).
| Severity/Risk: | Serious |
| Versions affected: | 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions |
| Versions fixed: | 4.4.2, 4.3.6, 4.2.9 and 4.1.12 |
| Reported by: | TaiYou |
| Workaround: | Disable the TeX filter until the patch is applied. |
| CVE identifier: | CVE-2024-43426 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82745 |
| Tracker issue: | MDL-82745 Arbitrary file read risk through pdfTeX |
Additional restrictions were required to avoid a remote code execution risk in calculated question types. (Note: This required the capability to add/update questions.)
| Severity/Risk: | Serious |
| Versions affected: | 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions |
| Versions fixed: | 4.4.2, 4.3.6, 4.2.9 and 4.1.12 |
| Reported by: | RedTeam Pentesting GmbH |
| CVE identifier: | CVE-2024-43425 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82576 |
| Tracker issue: | MDL-82576 Remote code execution via calculated question types |
Hi All,
Some of you may have seen from various outlets that a vulnerability has been identified in the “polyfill.js” library and particularly the hosted version of that library (cdn.polyfill.io). This is a popular open source library that is used in many sites to add various javascript support features to older web browsers.
In light of this new vulnerability we have conducted a review of our Moodle products, associated moodle.org and moodle.com sites as well as our Moodle Cloud sites. We can confirm that our systems are not affected by this issue. We do not use this library in our product codebase or in the code of our company sites.
As a point of clarification the Moodle LMS codebase does include a file named `polyfill.js`, which might raise concerns due to the similarity in names. However, we assure you that this file is entirely unrelated to the vulnerability identified, and is just a coincidence.
We take security very seriously. Our team continuously monitors for new threats and vulnerabilities, ensuring that our products remain secure and reliable. We have robust processes in place to assess and mitigate any potential risks swiftly and effectively.
More information on this exploit can be found at https://polykill.io/ and this Sansec article provides a good overview.
Kind Regards,
Matt Porritt
Head of Platform Solutions.
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Juan Leyva |
| CVE identifier: | CVE-2024-38277 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959 |
| Tracker issue: | MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys |
Incorrect CSRF token checks resulted in multiple CSRF risks.
| Severity/Risk: | Serious |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2024-38276 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890 |
| Tracker issue: | MDL-81890 CSRF risks due to misuse of confirm_sesskey |
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | cameron1729 |
| CVE identifier: | CVE-2024-38275 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774 |
| Tracker issue: | MDL-81774 HTTP authorization header is preserved between "emulated redirects" |
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Meirza |
| CVE identifier: | CVE-2024-38274 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412 |
| Tracker issue: | MDL-81412 Stored XSS via calendar's event title when deleting the event |
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2024-38273 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778 |
| Tracker issue: | MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access |