Security announcements

MSA-23-0023: Stored self-XSS escalated to stored XSS via OAuth 2 login

von Michael Hawkins -

It was possible to escalate stored self-XSS to stored XSS where users login via OAuth 2.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-40320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78685
Tracker issue: MDL-78685 Stored self-XSS escalated to stored XSS via OAuth 2 login
Thema diskutieren  (0 Antworten)

MSA-23-0022: SQL injection risk in grader report sorting

von Michael Hawkins -

An SQL injection risk was identified in the grader report sorting.

(Note: By default the capability to access this page is only available to teachers, non-editing teachers and managers.)

Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1
Versions fixed: 4.2.2
Reported by: Paul Holden
Workaround: Remove access to the gradereport/grader:view capability until the patch has been applied.
CVE identifier: CVE-2023-40319
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78790
Tracker issue: MDL-78790 SQL injection risk in grader report sorting
Thema diskutieren  (0 Antworten)

MSA-23-0021: Some block permissions on Dashboard not respected

von Michael Hawkins -

Permission overrides on individual blocks in the system dashboard did not cascade to user dashboards.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Bas Harkink
CVE identifier: CVE-2023-40318
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78340
Tracker issue: MDL-78340 Some block permissions on Dashboard not respected
Thema diskutieren  (0 Antworten)

MSA-23-0020: Remote code execution risk when parsing malformed file repository reference

von Michael Hawkins -

A remote code execution risk was identified where file repository reference properties are parsed.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Paul Holden
CVE identifier:
CVE-2023-40317
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78647
Tracker issue: MDL-78647 Remote code execution risk when parsing malformed file repository reference
Thema diskutieren  (0 Antworten)

MSA-23-0019: Proxy bypass risk due to insufficient validation

von Michael Hawkins -

Incorrect domain matching logic made it possible to bypass the proxy, which could result in access to hosts intended to be blocked by the proxy.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Brendan Heywood
Workaround: Add hosts blocked within the proxy to the Moodle cURL blocked hosts configuration if possible, until the patch is applied.
CVE identifier: CVE-2023-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74289
Tracker issue: MDL-74289 Proxy bypass risk due to insufficient validation
Thema diskutieren  (0 Antworten)

MSA-23-0018: SSRF risk due to insufficient check on the cURL blocked hosts list

von Michael Hawkins -

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk.


Severity/Risk: Serious
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Mateo Hanžek
CVE identifier: CVE-2023-35133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215
Tracker issue: MDL-78215 SSRF risk due to insufficient check on the cURL blocked hosts list
Thema diskutieren  (0 Antworten)

MSA-23-0017: Minor SQL injection risk on Mnet SSO access control page

von Michael Hawkins -

A limited SQL injection risk was identified on the Mnet SSO access control page.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Paul Holden
CVE identifier: CVE-2023-35132
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193
Tracker issue: MDL-77193 Minor SQL injection risk on Mnet SSO access control page
Thema diskutieren  (0 Antworten)

MSA-23-0016: XSS risk on groups page

von Michael Hawkins -

Content on the groups page required additional sanitizing to prevent an XSS risk.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14
Versions fixed: 4.2.1, 4.1.4, 4.0.9 and 3.11.15
Reported by: Petr Skoda
CVE identifier: CVE-2023-35131
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76683
Tracker issue: MDL-76683 XSS risk on groups page
Thema diskutieren  (0 Antworten)

MSA-23-0015: Minor SQL injection risk in external Wiki method for listing pages

von Michael Hawkins -

A limited SQL injection risk was identified in functionality used by the Wiki activity when listing pages.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13, 3.9 to 3.9.20 and earlier unsupported versions
Versions fixed: 4.1.3, 4.0.8, 3.11.14 and 3.9.21
Reported by: Paul Holden
CVE identifier: CVE-2023-30944
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187
Tracker issue: MDL-77187 Minor SQL injection risk in external Wiki method for listing pages
Thema diskutieren  (0 Antworten)

MSA-23-0014: TinyMCE loaders susceptible to Arbitrary Folder Creation

von Michael Hawkins -

Insufficient sanitizing of loaders used by TinyMCE resulted in an arbitrary folder creation risk.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.2
Versions fixed: 4.1.3
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-30943
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
Tracker issue: MDL-77718 TinyMCE loaders susceptible to Arbitrary Folder Creation
Thema diskutieren  (0 Antworten)