Security announcements

MSA-23-0026: IDOR in message processor fragments allows fetching of other users' data

Nosūtīja Michael Hawkins

Insufficient capability checks made it possible to fetch other users' message processor preferences data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier: CVE-2023-40322
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792
Tracker issue: MDL-78792 IDOR in message processor fragments allows fetching of other users' data
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0025: phpCAS library upgraded to 1.6.0 (upstream)

Nosūtīja Michael Hawkins

The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.0.10, 3.11.16 and 3.9.23
Reported by: Julien Boulen
CVE identifier: CVE-2022-39369
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620
Tracker issue: MDL-78620 phpCAS library upgraded to 1.6.0 (upstream)
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0024: Private course participant data available from external grade report method

Nosūtīja Michael Hawkins

Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
CVE identifier: CVE-2023-40321
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871
Tracker issue: MDL-78871 Private course participant data available from external grade report method
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0023: Stored self-XSS escalated to stored XSS via OAuth 2 login

Nosūtīja Michael Hawkins

It was possible to escalate stored self-XSS to stored XSS where users login via OAuth 2.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-40320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78685
Tracker issue: MDL-78685 Stored self-XSS escalated to stored XSS via OAuth 2 login
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0022: SQL injection risk in grader report sorting

Nosūtīja Michael Hawkins

An SQL injection risk was identified in the grader report sorting.

(Note: By default the capability to access this page is only available to teachers, non-editing teachers and managers.)

Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
Workaround: Remove access to the gradereport/grader:view capability until the patch has been applied.
CVE identifier: CVE-2023-40319
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78790
Tracker issue: MDL-78790 SQL injection risk in grader report sorting
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0021: Some block permissions on Dashboard not respected

Nosūtīja Michael Hawkins

Permission overrides on individual blocks in the system dashboard did not cascade to user dashboards.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Bas Harkink
CVE identifier: CVE-2023-40318
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78340
Tracker issue: MDL-78340 Some block permissions on Dashboard not respected
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0020: Remote code execution risk when parsing malformed file repository reference

Nosūtīja Michael Hawkins

A remote code execution risk was identified where file repository reference properties are parsed.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier:
CVE-2023-40317
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78647
Tracker issue: MDL-78647 Remote code execution risk when parsing malformed file repository reference
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0019: Proxy bypass risk due to insufficient validation

Nosūtīja Michael Hawkins

Incorrect domain matching logic made it possible to bypass the proxy, which could result in access to hosts intended to be blocked by the proxy.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Brendan Heywood
Workaround: Add hosts blocked within the proxy to the Moodle cURL blocked hosts configuration if possible, until the patch is applied.
CVE identifier: CVE-2023-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74289
Tracker issue: MDL-74289 Proxy bypass risk due to insufficient validation
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0018: SSRF risk due to insufficient check on the cURL blocked hosts list

Nosūtīja Michael Hawkins

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk.


Severity/Risk: Serious
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Mateo Hanžek
CVE identifier: CVE-2023-35133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215
Tracker issue: MDL-78215 SSRF risk due to insufficient check on the cURL blocked hosts list
Apspriest šo tēmu  (Līdz šim 0 atbildes)

MSA-23-0017: Minor SQL injection risk on Mnet SSO access control page

Nosūtīja Michael Hawkins

A limited SQL injection risk was identified on the Mnet SSO access control page.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Paul Holden
CVE identifier: CVE-2023-35132
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193
Tracker issue: MDL-77193 Minor SQL injection risk on Mnet SSO access control page
Apspriest šo tēmu  (Līdz šim 0 atbildes)