The referrer URL used by MFA required additional sanitizing, rather than being used directly.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.3 |
| Versions fixed: | 4.3.4 |
| Reported by: | Petr Skoda |
| CVE identifier: | CVE-2024-33999 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80878 |
| Tracker issue: | MDL-80878 Unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php |
Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | Aleksey Solovev (Positive Technologies) |
| CVE identifier: | CVE-2024-33998 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81354 |
| Tracker issue: | MDL-81354 Stored XSS via user's name on participants page when opening some options |
Additional sanitizing was required when opening the equation editor, to prevent a stored XSS risk when editing another user's equation.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | Aleksey Solovev (Positive Technologies) |
| CVE identifier: | CVE-2024-33997 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81352 |
| Tracker issue: | MDL-81352 Stored XSS risk when editing another user's equation in equation editor |
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | David Utón (m3n0sd0n4ld) |
| CVE identifier: | CVE-2024-33996 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81247 |
| Tracker issue: | MDL-81247 Broken access control when setting calendar event type |
Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (eg on their profile page).
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions |
| Versions fixed: | 4.3.3, 4.2.6 and 4.1.9 |
| Reported by: | BA7MAN |
| CVE identifier: | CVE-2024-25983 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300 |
| Tracker issue: | MDL-78300 IDOR on dashboard comments block |
The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions |
| Versions fixed: | 4.3.3, 4.2.6 and 4.1.9 |
| Reported by: | Panagiotis Petasis |
| CVE identifier: | CVE-2024-25982 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749 |
| Tracker issue: | MDL-54749 CSRF risk in Language import utility |
Separate Groups mode restrictions were not honoured when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions |
| Versions fixed: | 4.3.3, 4.2.6 and 4.1.9 |
| Reported by: | Leon Stringer |
| CVE identifier: | CVE-2024-25981 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80504 |
| Tracker issue: | MDL-80504 Forum export did not respect activity group settings |
Separate Groups mode restrictions were not honoured in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions |
| Versions fixed: | 4.3.3, 4.2.6 and 4.1.9 |
| Reported by: | Leon Stringer |
| CVE identifier: | CVE-2024-25980 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 |
| Tracker issue: | MDL-80501 H5P attempts report did not respect activity group settings |
The URL parameters accepted by forum search were not limited to the allowed parameters.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions |
| Versions fixed: | 4.3.3, 4.2.6 and 4.1.9 |
| Reported by: | Piotr Widak |
| CVE identifier: | CVE-2024-25979 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69774 |
| Tracker issue: | MDL-69774 Forum search accepted random parameters in its URL |
Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.
| Severity/Risk: | Serious |
| Versions affected: | 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions |
| Versions fixed: | 4.3.3, 4.2.6 and 4.1.9 |
| Reported by: | Sam Ezeh |
| CVE identifier: | CVE-2024-25978 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74641 |
| Tracker issue: | MDL-74641 Denial of service risk in file picker unzip functionality |