Security announcements

MSA-23-0041: Insufficient capability checks when updating the parent of a course category

ដោយ Michael Hawkins នៅ

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Erica Bithell
CVE identifier: CVE-2023-5549
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730
Tracker issue: MDL-66730 Insufficient capability checks when updating the parent of a course category

MSA-23-0040: Make file serving endpoints revision control stricter

ដោយ Michael Hawkins នៅ

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-5548
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846
Tracker issue: MDL-77846 Make file serving endpoints revision control stricter

MSA-23-0039: XSS risk when previewing data in course upload tool

ដោយ Michael Hawkins នៅ

The course upload preview contained an XSS risk for users uploading unsafe data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Paul Holden
Workaround: Verify the contents and trustworthiness of course data before uploading it.
CVE identifier: CVE-2023-5547
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79455
Tracker issue: MDL-79455 XSS risk when previewing data in course upload tool

MSA-23-0038: Stored XSS in quiz grading report via user ID number

ដោយ Michael Hawkins នៅ

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Paul Holden
CVE identifier: CVE-2023-5546
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78971
Tracker issue: MDL-78971 Stored XSS in quiz grading report via user ID number

MSA-23-0037: Auto-populated H5P author name causes a potential information leak

ដោយ Michael Hawkins នៅ

H5P metadata automatically populated the author with the user's username, which could be sensitive information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Josh Manders
CVE identifier: CVE-2023-5545
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820
Tracker issue: MDL-78820 Auto-populated H5P author name causes a potential information leak

MSA-23-0036: Stored XSS and potential IDOR risk in Wiki comments

ដោយ Michael Hawkins នៅ

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: h1w0rld
CVE identifier: CVE-2023-5544
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509
Tracker issue: MDL-79509 Stored XSS and potential IDOR risk in Wiki comments

MSA-23-0035: Duplicating a BigBlueButton activity assigns the same meeting ID

ដោយ Michael Hawkins នៅ

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Lionel Caylat
Workaround: Manually create a fresh BigBlueButton activity instead of duplicating, until the patch has been applied.
CVE identifier: CVE-2023-5543
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795
Tracker issue: MDL-77795 Duplicating a BigBlueButton activity assigns the same meeting ID

MSA-23-0034: Students could see other students in "Only see own membership" groups

ដោយ Michael Hawkins នៅ

Students in "Only see own membership" groups could see other students in the group, which should be hidden.


Severity/Risk: Minor
Versions affected: 4.2.2
Versions fixed: 4.2.3
Reported by: Eliot
CVE identifier: CVE-2023-5542
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213
Tracker issue: MDL-79213 Students could see other students in "Only see own membership" groups

MSA-23-0033: XSS risk when using CSV grade import method

ដោយ Michael Hawkins នៅ

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Attilio Ferrari
Workaround: Verify the contents and trustworthiness of grade spreadsheets before importing them.
CVE identifier: CVE-2023-5541
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79426
Tracker issue: MDL-79426 XSS risk when using CSV grade import method

MSA-23-0032: Authenticated remote code execution risk in IMSCP

ដោយ Michael Hawkins នៅ

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-5540
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409
Tracker issue: MDL-79409 Authenticated remote code execution risk in IMSCP