Security announcements

MSA-22-0013: SQL injection risk in badge award criteria

by Michael Hawkins -

An SQL injection risk was identified in Badges code relating to configuring criteria.

NOTE: in Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, access to this vulnerability was available to site administrators only. In earlier versions, access to the relevant capability was also limited to teachers and managers by default.


Severity/Risk: Serious
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Michael Dunstan
Workaround: In versions earlier than Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied (in newer versions this is not necessary).
CVE identifier: CVE-2022-30599
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74333
Tracker issue: MDL-74333 SQL injection risk in badge award criteria
Discuss this topic  (0 replies so far)

MSA-22-0012: Global search results reveal authors of content unexpectedly for some activities

by Michael Hawkins -

Global search results could include author information on some activities where a user may not otherwise have access to it.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Catalina
CVE identifier: CVE-2022-30598
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71623
Tracker issue: MDL-71623 Global search results reveal authors of content unexpectedly for some activities
Discuss this topic  (0 replies so far)

MSA-22-0011: Description field hidden by user policies (hiddenuserfields) is still visible

by Michael Hawkins -

The description user field was not hidden when being set as a hidden user field.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Bo Foght
CVE identifier: CVE-2022-30597
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74318
Tracker issue: MDL-74318 Description field hidden by user policies (hiddenuserfields) is still visible
Discuss this topic  (0 replies so far)

MSA-22-0010: Stored XSS in assignment bulk marker allocation form via user ID number

by Michael Hawkins -

ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Paul Holden
CVE identifier: CVE-2022-30596
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74204
Tracker issue: MDL-74204 Stored XSS in assignment bulk marker allocation form via user ID number
Discuss this topic  (0 replies so far)

MSA-22-0009: Upgrade CKEditor included in h5p-editor-php-library to latest version (upstream)

by Michael Hawkins -

The CKEditor included in the h5p-editor-php-library within Moodle has been upgraded to the latest version, which includes security fixes.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Sara Arjona (@sarjona)
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71722
Tracker issue: MDL-71722 Upgrade CKEditor included in h5p-editor-php-library to latest version (upstream)
Discuss this topic  (0 replies so far)

MSA-22-0008: Upgrade PHPMailer to latest version (upstream)

by Michael Hawkins -

The PHPMailer library included with Moodle has been upgraded to the latest version, which includes security fixes.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Sara Arjona (@sarjona)
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71703
Tracker issue: MDL-71703 Upgrade PHPMailer to latest version (upstream)
Discuss this topic  (0 replies so far)

MSA-22-0007: Possible to reach the profile field badge criteria on a course page

by Michael Hawkins -

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Andrew Lyons
Workaround: Remove the moodle/badges:configurecriteria capability from users to prevent them accessing the relevant functionality until the patch is applied.
CVE identifier: CVE-2022-0984
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74075
Tracker issue: MDL-74075 Possible to reach the profile field badge criteria on a course page
Discuss this topic  (0 replies so far)

MSA-22-0006: Users with moodle/site:uploadusers but without moodle/user:delete could delete users

by Michael Hawkins -

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Reported by: Chris Pratt
Workaround: Remove the moodle/site:uploadusers capability from users who do not also have the moodle/user:delete capability, until the patch is applied.
CVE identifier: CVE-2022-0985
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72972
Tracker issue: MDL-72972 Users with moodle/site:uploadusers but without moodle/user:delete could delete users
Discuss this topic  (0 replies so far)

MSA-22-0005: SQL injection risk in Badges criteria code

by Michael Hawkins -

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or patch as soon as you are able to. We prepared the patch for this as soon as we became aware of the issue, to ensure a fix was available for this release.

It is important to reiterate that this vulnerability is only accessible by teachers/managers/admins by default, because it requires the capability to add and enable badge criteria. As mentioned in the workaround listed below, this can be mitigated (on all non-admin users) by removing the relevant capability until the patch is applied.

Severity/Risk: Serious
Versions affected: 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed: 3.11.6, 3.10.10 and 3.9.13
Workaround: Remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied.
CVE identifier: CVE-2022-0983
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74074
Tracker issue: MDL-74074 SQL injection risk in Badges criteria code
Discuss this topic  (0 replies so far)

MSA-22-0004: CSRF risk in badge alignment deletion

by Michael Hawkins -

The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed: 3.11.5, 3.10.9 and 3.9.12
Reported by: Ostapbender
CVE identifier: CVE-2022-0335
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72367
Tracker issue: MDL-72367 CSRF risk in badge alignment deletion
Discuss this topic  (0 replies so far)