Security announcements

MSA-21-0012: Forum CSV export could result in posts from all courses being exported

by Michael Hawkins -

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Daniel Konrad
Workaround: Remove the Export Forum (mod/forum:exportforum) capability from non-admin roles/users until the patch has been applied.
CVE identifier: CVE-2021-32472
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359
Tracker issue: MDL-71359 Forum CSV export could result in posts from all courses being exported
Discuss this topic  (0 replies so far)

MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities (upstream)

by Michael Hawkins -

The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Mike Henry
CVE identifiers: CVE-2020-11022 and CVE-2020-11023
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69680
Tracker issue: MDL-69680 JQuery versions below 3.5.0 contains some potential vulnerabilities
Discuss this topic  (0 replies so far)

MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course

by Michael Hawkins -

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Paul Holden
CVE identifier: CVE-2021-20283
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822
Tracker issue: MDL-70822 Fetching a user's enrolled courses via web services did not check profile access in each course
Discuss this topic  (0 replies so far)

MSA-21-0009: Bypass email verification secret when confirming account registration

by Michael Hawkins -

When creating a user account, it was possible to verify the account without having access to the verification email link/secret.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Bandjes
CVE identifier: CVE-2021-20282
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70668
Tracker issue: MDL-70668 Bypass email verification secret when confirming account registration
Discuss this topic  (0 replies so far)

MSA-21-0008: User full name disclosure within online users block

by Michael Hawkins -

It was possible for some users without permission to view other users' full names to do so via the online users block.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Ankit Agarwal
Workaround: Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied.
CVE identifier: CVE-2021-20281
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293
Tracker issue: MDL-59293 User full name disclosure within online users block
Discuss this topic  (0 replies so far)

MSA-21-0007: Stored XSS and blind SSRF possible via feedback answer text

by Michael Hawkins -

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Holme and Rekter0
CVE identifier: CVE-2021-20280
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70767
Tracker issue: MDL-70767 Stored XSS and blind SSRF possible via feedback answer text
Discuss this topic  (0 replies so far)

MSA-21-0006: Stored XSS via ID number user profile field

by Michael Hawkins -

The ID number user profile field required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Magyar-Hunor Tamas
Workaround: Disable the ID number field by unchecking it in Site admin > Users > User policies > Show user identity, until the patch has been applied.
CVE identifier: CVE-2021-20279
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65552
Tracker issue: MDL-65552 Stored XSS via ID number user profile field
Discuss this topic  (0 replies so far)

MSA-21-0005: Arbitrary PHP code execution by site admins via Shibboleth configuration

by Michael Hawkins -

It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.


Severity/Risk: Serious
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions
Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by: Frédéric Massart
Workaround: Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See https://docs.moodle.org/310/en/report/security/report_security_check_preventexecpath for more details.
CVE identifier: CVE-2021-20187
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68486
Tracker issue: MDL-68486 Arbitrary PHP code execution by site admins via Shibboleth configuration
Discuss this topic  (0 replies so far)

MSA-21-0004: Stored XSS possible via TeX notation filter

by Michael Hawkins -

If the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.


Severity/Risk: Serious
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions
Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by: Ata Hakcil
Workaround: Disable the TeX notation filter until the patch has been applied. (Note that this filter is disabled by default.)
CVE identifier: CVE-2021-20186
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69911
Tracker issue: MDL-69911 Stored XSS possible via TeX notation filter
Discuss this topic  (0 replies so far)

MSA-21-0003: Client side denial of service via personal message

by Michael Hawkins -

Messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.


Severity/Risk: Minor
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions
Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by: Rik Gouw
CVE identifier: CVE-2021-20185
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67782
Tracker issue: MDL-67782 Client side denial of service via personal message
Discuss this topic  (0 replies so far)