Security announcements

MSA-23-0051: Badge recipients are available to all users

deur Michael Hawkins -

Insufficient capability checks meant it was possible for all users to view the recipients of badges.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Sara Arjona (@sarjona)
CVE identifier: CVE-2023-6668
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80268
Tracker issue: MDL-80268 Badge recipients are available to all users
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0050: Survey responses did not respect group settings

deur Michael Hawkins -

Separate Groups mode restrictions were not honoured in survey response reports, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Leon Stringer
CVE identifier: CVE-2023-6667
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79980
Tracker issue: MDL-79980 Survey responses did not respect group settings
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0049: Reflected XSS risk in grader report search

deur Michael Hawkins -

The grader report search required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Minor
Versions affected: 4.3 and 4.2 to 4.2.3
Versions fixed: 4.3.1 and 4.2.4
Reported by: Paul Holden
CVE identifier: CVE-2023-6666
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80287
Tracker issue: MDL-80287 Reflected XSS risk in grader report search
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0048: Stored XSS in grader report via user ID number

deur Michael Hawkins -

ID numbers displayed in the grader report required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.3 and 4.2 to 4.2.3
Versions fixed: 4.3.1 and 4.2.4
Reported by: Paul Holden
CVE identifier: CVE-2023-6665
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80239
Tracker issue: MDL-80239 Stored XSS in grader report via user ID number
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0047: Logs and Live logs course reports did not respect activity group settings

deur Michael Hawkins -

Separate Groups mode restrictions were not honoured in the Logs and Live logs course reports, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Ankit Agarwal
CVE identifier: CVE-2023-6664
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41465
Tracker issue: MDL-41465 Logs and Live logs course reports did not respect activity group settings
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0046: Authenticated remote code execution risk in course blocks

deur Michael Hawkins -

A remote code execution risk was identified in course blocks. By default this was only available to teachers and managers.


Severity/Risk: Serious
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-6663
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79797
Tracker issue: MDL-79797 Authenticated remote code execution risk in course blocks
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0045: DOS risk in URL downloader

deur Michael Hawkins -

Insufficient recursion limitations resulted in a denial of service risk in the URL downloader.


Severity/Risk: Serious
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: herocharge
CVE identifier: CVE-2023-6662
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79759
Tracker issue: MDL-79759 DOS risk in URL downloader
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0044: Authenticated remote code execution risk in logstore as manager

deur Michael Hawkins -

A remote code execution risk was identified in logstore. By default this was only available to managers.


Severity/Risk: Serious
Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions
Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-6661
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80174
Tracker issue: MDL-80174 Authenticated remote code execution risk in logstore as manager
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0043: Forum summary report shows students from other groups when in Separate Groups mode

deur Michael Hawkins -

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Fabián Glagovsky
CVE identifier: CVE-2023-5551
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310
Tracker issue: MDL-79310 Forum summary report shows students from other groups when in Separate Groups mode
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)

MSA-23-0042: RCE due to LFI risk in some misconfigured shared hosting environments

deur Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: 0xkasper
CVE identifier: CVE-2023-5550
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249
Tracker issue: MDL-72249 RCE due to LFI risk in some misconfigured shared hosting environments
Bespreek hierdie onderwerp  (0 antwoorde tot dusver)