Security announcements

MSA-23-0033: XSS risk when using CSV grade import method

by Michael Hawkins -

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Attilio Ferrari
Workaround: Verify the contents and trustworthiness of grade spreadsheets before importing them.
CVE identifier: CVE-2023-5541
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79426
Tracker issue: MDL-79426 XSS risk when using CSV grade import method
Discuss this topic  (0 replies so far)

MSA-23-0032: Authenticated remote code execution risk in IMSCP

by Michael Hawkins -

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-5540
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409
Tracker issue: MDL-79409 Authenticated remote code execution risk in IMSCP
Discuss this topic  (0 replies so far)

MSA-23-0031: Authenticated remote code execution risk in Lesson

by Michael Hawkins -

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-5539
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408
Tracker issue: MDL-79408 Authenticated remote code execution risk in Lesson
Discuss this topic  (0 replies so far)

MSA-23-0030: Quiz sequential navigation bypass possible

by Michael Hawkins -

Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Abhijit A M
CVE identifier: CVE-2023-40325
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728
Tracker issue: MDL-71728 Quiz sequential navigation bypass possible
Discuss this topic  (0 replies so far)

MSA-23-0029: Competency framework tools are not restricted as intended

by Michael Hawkins -

Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Michael Hawkins
CVE identifier: CVE-2023-40324
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66212
Tracker issue: MDL-66212 Competency framework tools are not restricted as intended
Discuss this topic  (0 replies so far)

MSA-23-0028: Open redirect risk on admin view all policies page

by Michael Hawkins -

The admin view all policies page URL required additional sanitizing to prevent an open redirect risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Darko Miletic
CVE identifier: CVE-2023-40323
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78763
Tracker issue: MDL-78763 Open redirect risk on admin view all policies page
Discuss this topic  (0 replies so far)

MSA-23-0027: JQuery UI library upgraded to 1.13.2 (upstream)

by Michael Hawkins -

The JQuery UI library included with Moodle has been upgraded to version 1.13.2, which includes fixes for security issues.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 3.11.16 and 3.9.23
Reported by: Wolf Ventir
CVE identifier: CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 and CVE-2021-41182
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74544
Tracker issue: MDL-74544 JQuery UI library upgraded to 1.13.2 (upstream)
Discuss this topic  (0 replies so far)

MSA-23-0026: IDOR in message processor fragments allows fetching of other users' data

by Michael Hawkins -

Insufficient capability checks made it possible to fetch other users' message processor preferences data.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier: CVE-2023-40322
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792
Tracker issue: MDL-78792 IDOR in message processor fragments allows fetching of other users' data
Discuss this topic  (0 replies so far)

MSA-23-0025: phpCAS library upgraded to 1.6.0 (upstream)

by Michael Hawkins -

The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.0.10, 3.11.16 and 3.9.23
Reported by: Julien Boulen
CVE identifier: CVE-2022-39369
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620
Tracker issue: MDL-78620 phpCAS library upgraded to 1.6.0 (upstream)
Discuss this topic  (0 replies so far)

MSA-23-0024: Private course participant data available from external grade report method

by Michael Hawkins -

Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
CVE identifier: CVE-2023-40321
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871
Tracker issue: MDL-78871 Private course participant data available from external grade report method
Discuss this topic  (0 replies so far)