Security announcements

MSA-23-0006: XSS risk when outputting database activity filter data

by Michael Hawkins -

Content output by the database auto-linking filter required additional sanitizing to prevent an XSS risk.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Petr Skoda
Workaround: Disable the database auto-linking filter until the patch has been applied.
CVE identifier: CVE-2023-28331
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76645
Tracker issue: MDL-76645 XSS risk when outputting database activity filter data
Discuss this topic  (0 replies so far)

MSA-23-0005: Authenticated arbitrary file read through malformed backup file

by Michael Hawkins -

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Vincent Schneider (cli-ish)
Workaround: Remove restore activity/course capabilities until the patch is applied.
CVE identifier: CVE-2023-28330
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77204
Tracker issue: MDL-77204 Authenticated arbitrary file read through malformed backup file
Discuss this topic  (0 replies so far)

MSA-23-0004: Authenticated SQL injection via availability check

by Michael Hawkins -

Insufficient validation of profile field availability condition resulted in an SQL injection risk (by default only available to teachers and managers).


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-28329
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77046
Tracker issue: MDL-77046 Authenticated SQL injection via availability check
Discuss this topic  (0 replies so far)

MSA-23-0003: Possible to set the preferred "start page" of other users

by Michael Hawkins -

Insufficient limitations on the "start page" preference made it possible to set that preference for another user. (Note: This was still limited to the pre-defined start page options)


Severity/Risk: Minor
Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions
Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Reported by: Paul Holden
CVE identifier: CVE-2023-23923
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862
Tracker issue: MDL-76862 Possible to set the preferred "start page" of other users
Discuss this topic  (0 replies so far)

MSA-23-0002: Reflected XSS risk in blog search

by Michael Hawkins -

Blog search required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.1 and 4.0 to 4.0.5
Versions fixed: 4.1.1, 4.0.6
Reported by: Unknown (name not provided)
CVE identifier: CVE-2023-23922
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76861
Tracker issue: MDL-76861 Reflected XSS risk in blog search
Discuss this topic  (0 replies so far)

MSA-23-0001: Reflected XSS risk in some returnurl parameters

by Michael Hawkins -

Some returnurl parameters required additional sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions
Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19
Reported by: DegrangeM
CVE identifier: CVE-2023-23921
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76810
Tracker issue: MDL-76810 Reflected XSS risk in some returnurl parameters
Discuss this topic  (0 replies so far)

MSA-22-0032: Blind SSRF risk in LTI provider library

by Michael Hawkins -

Moodle's LTI provider library did not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Rekter0 and Holme
CVE identifier: CVE-2022-45152
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920
Tracker issue: MDL-71920 Blind SSRF risk in LTI provider library
Discuss this topic  (0 replies so far)

MSA-22-0031: Stored XSS possible in some "social" user profile fields

by Michael Hawkins -

The "social" user profile field type performed insufficient escaping on some fields, resulting in a stored XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4 and 3.11 to 3.11.10
Versions fixed: 4.0.5 and 3.11.11
Reported by: Bernardo Cabral
Workaround: Update "social" user profile fields so their visibility is set to "not visible", until the patch is applied.
CVE identifier: CVE-2022-45151
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76131
Tracker issue: MDL-76131 Stored XSS possible in some "social" user profile fields
Discuss this topic  (0 replies so far)

MSA-22-0030: Reflected XSS risk in policy tool

by Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Eric Merrill
CVE identifier: CVE-2022-45150
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091
Tracker issue: MDL-76091 Reflected XSS risk in policy tool
Discuss this topic  (0 replies so far)

MSA-22-0029: Course restore - CSRF token passed in course redirect URL

by Michael Hawkins -

A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Michael Hawkins
CVE identifier: CVE-2022-45149
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75862
Tracker issue: MDL-75862 Course restore - CSRF token passed in course redirect URL
Discuss this topic  (0 replies so far)