Some returnurl parameters required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions |
| Versions fixed: | 4.1.1, 4.0.6, 3.11.12 and 3.9.19 |
| Reported by: | DegrangeM |
| CVE identifier: | CVE-2023-23921 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76810 |
| Tracker issue: | MDL-76810 Reflected XSS risk in some returnurl parameters |
Moodle's LTI provider library did not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions |
| Versions fixed: | 4.0.5, 3.11.11 and 3.9.18 |
| Reported by: | Rekter0 and Holme |
| CVE identifier: | CVE-2022-45152 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920 |
| Tracker issue: | MDL-71920 Blind SSRF risk in LTI provider library |
The "social" user profile field type performed insufficient escaping on some fields, resulting in a stored XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.4 and 3.11 to 3.11.10 |
| Versions fixed: | 4.0.5 and 3.11.11 |
| Reported by: | Bernardo Cabral |
| Workaround: | Update "social" user profile fields so their visibility is set to "not visible", until the patch is applied. |
| CVE identifier: | CVE-2022-45151 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76131 |
| Tracker issue: | MDL-76131 Stored XSS possible in some "social" user profile fields |
The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions |
| Versions fixed: | 4.0.5, 3.11.11 and 3.9.18 |
| Reported by: | Eric Merrill |
| CVE identifier: | CVE-2022-45150 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091 |
| Tracker issue: | MDL-76091 Reflected XSS risk in policy tool |
A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions |
| Versions fixed: | 4.0.5, 3.11.11 and 3.9.18 |
| Reported by: | Michael Hawkins |
| CVE identifier: | CVE-2022-45149 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75862 |
| Tracker issue: | MDL-75862 Course restore - CSRF token passed in course redirect URL |
An upstream security patch was applied to the third party VideoJS library included with Moodle, on versions affected by an XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions |
| Versions fixed: | 3.11.11 and 3.9.18 |
| Reported by: | Vincent |
| CVE identifier: | CVE-2021-23414 (upstream) |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75278 |
| Tracker issue: | MDL-75278 Apply upstream security fix to VideoJS library to remove XSS risk |
Insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions |
| Versions fixed: | 4.0.3, 3.11.9 and 3.9.16 |
| Reported by: | omaralbalouli |
| CVE identifier: | CVE-2022-40208 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75210 |
| Tracker issue: | MDL-75210 Quiz sequential navigation bypass using web services |
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions |
| Versions fixed: | 4.0.4, 3.11.10 and 3.9.17 |
| Reported by: | Jari Vilkman and Bjørn Teistung |
| Workaround: | Access to this feature can be revoked by removing the mod/h5pactivity:reviewattempts capability from relevant users until the patch is applied. |
| CVE identifier: | CVE-2022-40316 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71662 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72012 |
| Tracker issue: | MDL-71662 and MDL-72012 No groups filtering in H5P activity attempts report |
A limited SQL injection risk was identified in the "browse list of users" site administration page.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions |
| Versions fixed: | 4.0.4, 3.11.10 and 3.9.17 |
| Reported by: | Vincent |
| CVE identifier: | CVE-2022-40315 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75283 |
| Tracker issue: | MDL-75283 Minor SQL injection risk in admin user browsing |
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions |
| Versions fixed: | 4.0.4, 3.11.10 and 3.9.17 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2022-40314 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75405 |
| Tracker issue: | MDL-75405 Remote code execution risk when restoring malformed backup file from Moodle 1.9 |