Security announcements

MSA-22-0023: Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers

by Michael Hawkins -

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Adam Roberts, NCC Group
CVE identifier: CVE-2022-40313
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68066
Tracker issue: MDL-68066 Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers
Discuss this topic  (0 replies so far)

MSA-22-0022: CSRF risk in enabling/disabling installed H5P libraries

by Michael Hawkins -

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.2 and 3.11 to 3.11.8
Versions fixed: 4.0.3 and 3.11.9
Reported by: Paul Holden
CVE identifier: CVE-2022-2986
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326
Tracker issue: MDL-75326 CSRF risk in enabling/disabling installed H5P libraries
Discuss this topic  (0 replies so far)

MSA-22-0021: Upgrade Mustache to latest version (upstream)

by Michael Hawkins -

The Mustache template library included with Moodle has been upgraded to the latest version, which includes a fix for a serious security issue.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions
Versions fixed: 4.0.3, 3.11.9 and 3.9.16
Reported by: Lars Bonczek
CVE identifier: CVE-2022-0323
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75388
Tracker issue: MDL-75388 Upgrade Mustache to latest version (upstream)
Discuss this topic  (0 replies so far)

MSA-22-0020: Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)

by Michael Hawkins -

The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.


Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade.
Severity/Risk: Minor
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Ilya Tregubov
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74473
Tracker issue: MDL-74473 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)
Discuss this topic  (0 replies so far)

MSA-22-0019: LTI module reflected XSS risk - affecting unauthenticated users only

by Michael Hawkins -

A minor reflected XSS risk was identified in the LTI module. This did not impact authenticated users.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Luuk Verhoeven
CVE identifier: CVE-2022-35653
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299
Tracker issue: MDL-72299 LTI module reflected XSS risk - affecting unauthenticated users only
Discuss this topic  (0 replies so far)

MSA-22-0018: Open redirect risk in mobile auto-login feature

by Michael Hawkins -

The mobile auto-login URL required additional sanitizing to prevent an open redirect risk.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: petermaster
CVE identifier: CVE-2022-35652
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171
Tracker issue: MDL-72171 Open redirect risk in mobile auto-login feature
Discuss this topic  (0 replies so far)

MSA-22-0017: Stored XSS and blind SSRF possible via SCORM track details

by Michael Hawkins -

Insufficient sanitizing of SCORM track details presented stored XSS and blind SSRF risks.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Rekter0
CVE identifier: CVE-2022-35651
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921
Tracker issue: MDL-71921 Stored XSS and blind SSRF possible via SCORM track details
Discuss this topic  (0 replies so far)

MSA-22-0016: Arbitrary file read when importing lesson questions

by Michael Hawkins -

Insufficient path checks in a lesson question import resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: loknop
CVE identifier: CVE-2022-35650
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029
Tracker issue: MDL-72029 Arbitrary file read when importing lesson questions
Discuss this topic  (0 replies so far)

MSA-22-0015: PostScript Code Injection / Remote code execution risk

by Michael Hawkins -

An omitted execution parameter resulted in a remote code execution risk for sites running GhostScript versions older than 9.50.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Nick Wojciechowski, CyberCX
Workaround: Ensure older versions of GhostScript are upgraded to 9.50 or newer.
CVE identifier: CVE-2022-35649
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75044
Tracker issue: MDL-75044 PostScript Code Injection / Remote code execution risk
Discuss this topic  (0 replies so far)

MSA-22-0014: Failed login attempts counted incorrectly

by Michael Hawkins -

An issue in the logic used to count failed login attempts could result in the account lockout threshold being bypassed.


Severity/Risk: Serious
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Shamim Rezaie
CVE identifier: CVE-2022-30600
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-73736
Tracker issue: MDL-73736 Failed login attempts counted incorrectly
Discuss this topic  (0 replies so far)