Security announcements

MSA-21-0016: Files API should mitigate denial-of-service risk when adding to the draft file area

by Michael Hawkins - Monday, May 17, 2021, 3:36 PM

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits.

Severity/Risk:	Serious
Versions affected:	3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed:	3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by:	Ben Samtleben
CVE identifier:	CVE-2021-32476
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69028
Tracker issue:	MDL-69028 Files API should mitigate denial-of-service risk when adding to the draft file area

MSA-21-0015: Stored XSS in quiz grading report via user ID number

by Michael Hawkins - Monday, May 17, 2021, 3:35 PM

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

Severity/Risk:	Minor
Versions affected:	3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed:	3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by:	Paul Holden
CVE identifier:	CVE-2021-32475
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71130
Tracker issue:	MDL-71130 Stored XSS in quiz grading report via user ID number

MSA-21-0014: Blind SQL injection possible via MNet authentication

by Michael Hawkins - Monday, May 17, 2021, 3:34 PM

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair.

Severity/Risk:	Serious
Versions affected:	3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed:	3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by:	Rekter0
CVE identifier:	CVE-2021-32474
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70804
Tracker issue:	MDL-70804 Blind SQL injection possible via MNet authentication

MSA-21-0013: Quiz unreleased grade disclosure via web service

by Michael Hawkins - Monday, May 17, 2021, 3:34 PM

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

Severity/Risk:	Serious
Versions affected:	3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed:	3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by:	Nadav Kavalerchik
CVE identifier:	CVE-2021-32473
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70720
Tracker issue:	MDL-70720 Quiz unreleased grade disclosure via web service

MSA-21-0012: Forum CSV export could result in posts from all courses being exported

by Michael Hawkins - Monday, May 17, 2021, 3:33 PM

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances.

Severity/Risk:	Serious
Versions affected:	3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed:	3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:	Daniel Konrad
Workaround:	Remove the Export Forum (mod/forum:exportforum) capability from non-admin roles/users until the patch has been applied.
CVE identifier:	CVE-2021-32472
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359
Tracker issue:	MDL-71359 Forum CSV export could result in posts from all courses being exported

MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities (upstream)

by Michael Hawkins - Monday, March 15, 2021, 3:43 PM

The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.

Severity/Risk:	Minor
Versions affected:	3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:	3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:	Mike Henry
CVE identifiers:	CVE-2020-11022 and CVE-2020-11023
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69680
Tracker issue:	MDL-69680 JQuery versions below 3.5.0 contains some potential vulnerabilities

MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course

by Michael Hawkins - Monday, March 15, 2021, 3:41 PM

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.

Severity/Risk:	Minor
Versions affected:	3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:	3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:	Paul Holden
CVE identifier:	CVE-2021-20283
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822
Tracker issue:	MDL-70822 Fetching a user's enrolled courses via web services did not check profile access in each course

MSA-21-0009: Bypass email verification secret when confirming account registration

by Michael Hawkins - Monday, March 15, 2021, 3:23 PM

When creating a user account, it was possible to verify the account without having access to the verification email link/secret.

Severity/Risk:	Minor
Versions affected:	3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:	3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:	Bandjes
CVE identifier:	CVE-2021-20282
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70668
Tracker issue:	MDL-70668 Bypass email verification secret when confirming account registration

MSA-21-0008: User full name disclosure within online users block

by Michael Hawkins - Monday, March 15, 2021, 3:21 PM

It was possible for some users without permission to view other users' full names to do so via the online users block.

Severity/Risk:	Minor
Versions affected:	3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:	3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:	Ankit Agarwal
Workaround:	Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied.
CVE identifier:	CVE-2021-20281
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293
Tracker issue:	MDL-59293 User full name disclosure within online users block

MSA-21-0007: Stored XSS and blind SSRF possible via feedback answer text

by Michael Hawkins - Monday, March 15, 2021, 2:31 PM

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks.

Severity/Risk:	Serious
Versions affected:	3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:	3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:	Holme and Rekter0
CVE identifier:	CVE-2021-20280
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70767
Tracker issue:	MDL-70767 Stored XSS and blind SSRF possible via feedback answer text