Security announcements

MSA-21-0036: Quiz unreleased grade disclosure via web service

ni Michael Hawkins -

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Nadav Kavalerchik
CVE identifier: CVE-2021-40695
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71797
Tracker issue: MDL-71797 Quiz unreleased grade disclosure via web service
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0035: Arbitrary file read by site administrators via LaTeX preamble

ni Michael Hawkins -

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: raisin_bugbounty
Workaround: Hard-code the value of the LaTeX preamble into $CFG->forced_plugin_settings['filter_tex']['latexpreamble'] within the site's config.php file.
CVE identifier: CVE-2021-40694
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71240
Tracker issue: MDL-71240 Arbitrary file read by site administrators via LaTeX preamble
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0034: Authentication bypass risk when using external database authentication

ni Michael Hawkins -

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Amit Eyal
CVE identifier: CVE-2021-40693
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71160
Tracker issue: MDL-71160 Authentication bypass risk when using external database authentication
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0033: Course participants download did not restrict which users could be exported

ni Michael Hawkins -

Insufficient capability checks made it possible for teachers to download users outside of their courses.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Paul Holden
CVE identifier: CVE-2021-40692
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71726
Tracker issue: MDL-71726 Course participants download did not restrict which users could be exported
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled

ni Michael Hawkins -

A session hijack risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Robin Peraglie and Johannes Moritz
CVE identifier: CVE-2021-40691
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71976
Tracker issue: MDL-71976 Session Hijack risk when Shibboleth authentication is enabled
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email

ni Michael Hawkins -

In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: i_am_nobody
CVE identifier: CVE-2021-36403
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71919
Tracker issue: MDL-71919 Messaging email notifications containing HTML may hide the final line of the email
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0030: Insufficient escaping of users' names in account confirmation email

ni Michael Hawkins -

Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder {$a->firstname}.

Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Babar Khan Akhunzada
CVE identifier: CVE-2021-36402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58393
Tracker issue: MDL-58393 Insufficient escaping of users' names in account confirmation email
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number

ni Michael Hawkins -

ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Paul Holden
CVE identifier: CVE-2021-36401
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71981
Tracker issue: MDL-71981 Stored XSS when exporting to data formats supporting HTML via user ID number
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions

ni Michael Hawkins -

Insufficient capability checks made it possible to remove other users' calendar URL subscriptions.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Floerer
CVE identifier: CVE-2021-36400
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71978
Tracker issue: MDL-71978 IDOR allows removal of other users' calendar URL subscriptions
Talakayin ang paksa  (0 tugon sa kasalukuyan)

MSA-21-0027: Stored XSS in quiz override screens via user ID number

ni Michael Hawkins -

ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 3.11
Versions fixed: 3.11.1
Reported by: Paul Holden
CVE identifier: CVE-2021-36399
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71898
Tracker issue: MDL-71898 Stored XSS in quiz override screens via user ID number
Talakayin ang paksa  (0 tugon sa kasalukuyan)