Security announcements

MSA-21-0034: Authentication bypass risk when using external database authentication

by Michael Hawkins -

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Amit Eyal
CVE identifier: CVE-2021-40693
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71160
Tracker issue: MDL-71160 Authentication bypass risk when using external database authentication
Discuss this topic  (0 replies so far)

MSA-21-0033: Course participants download did not restrict which users could be exported

by Michael Hawkins -

Insufficient capability checks made it possible for teachers to download users outside of their courses.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Paul Holden
CVE identifier: CVE-2021-40692
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71726
Tracker issue: MDL-71726 Course participants download did not restrict which users could be exported
Discuss this topic  (0 replies so far)

MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled

by Michael Hawkins -

A session hijack risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Robin Peraglie and Johannes Moritz
CVE identifier: CVE-2021-40691
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71976
Tracker issue: MDL-71976 Session Hijack risk when Shibboleth authentication is enabled
Discuss this topic  (0 replies so far)

MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email

by Michael Hawkins -

In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: i_am_nobody
CVE identifier: CVE-2021-36403
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71919
Tracker issue: MDL-71919 Messaging email notifications containing HTML may hide the final line of the email
Discuss this topic  (0 replies so far)

MSA-21-0030: Insufficient escaping of users' names in account confirmation email

by Michael Hawkins -

Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder {$a->firstname}.

Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Babar Khan Akhunzada
CVE identifier: CVE-2021-36402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58393
Tracker issue: MDL-58393 Insufficient escaping of users' names in account confirmation email
Discuss this topic  (0 replies so far)

MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number

by Michael Hawkins -

ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Paul Holden
CVE identifier: CVE-2021-36401
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71981
Tracker issue: MDL-71981 Stored XSS when exporting to data formats supporting HTML via user ID number
Discuss this topic  (0 replies so far)

MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions

by Michael Hawkins -

Insufficient capability checks made it possible to remove other users' calendar URL subscriptions.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Floerer
CVE identifier: CVE-2021-36400
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71978
Tracker issue: MDL-71978 IDOR allows removal of other users' calendar URL subscriptions
Discuss this topic  (0 replies so far)

MSA-21-0027: Stored XSS in quiz override screens via user ID number

by Michael Hawkins -

ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 3.11
Versions fixed: 3.11.1
Reported by: Paul Holden
CVE identifier: CVE-2021-36399
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71898
Tracker issue: MDL-71898 Stored XSS in quiz override screens via user ID number
Discuss this topic  (0 replies so far)

MSA-21-0026: Stored XSS in the web service token list via user ID number

by Michael Hawkins -

ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 3.11
Versions fixed: 3.11.1
Reported by: Marina Glancy
CVE identifier: CVE-2021-36398
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71760
Tracker issue: MDL-71760 Stored XSS in the web service token list via user ID number
Discuss this topic  (0 replies so far)

MSA-21-0025: Messaging web service allows deletion of other users' messages

by Michael Hawkins -

Insufficient capability checks meant message deletions were not limited to the current user.


Severity/Risk: Serious
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: 0xkasper
CVE identifier: CVE-2021-36397
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71917
Tracker issue: MDL-71917 Messaging web service allows deletion of other users' messages
Discuss this topic  (0 replies so far)