Security announcements

MSA-21-0016: Files API should mitigate denial-of-service risk when adding to the draft file area

от Michael Hawkins -

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Ben Samtleben
CVE identifier: CVE-2021-32476
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69028
Tracker issue: MDL-69028 Files API should mitigate denial-of-service risk when adding to the draft file area
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0015: Stored XSS in quiz grading report via user ID number

от Michael Hawkins -

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Paul Holden
CVE identifier: CVE-2021-32475
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71130
Tracker issue: MDL-71130 Stored XSS in quiz grading report via user ID number
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0014: Blind SQL injection possible via MNet authentication

от Michael Hawkins -

An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Rekter0
CVE identifier: CVE-2021-32474
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70804
Tracker issue: MDL-70804 Blind SQL injection possible via MNet authentication
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0013: Quiz unreleased grade disclosure via web service

от Michael Hawkins -

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Nadav Kavalerchik
CVE identifier: CVE-2021-32473
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70720
Tracker issue: MDL-70720 Quiz unreleased grade disclosure via web service
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0012: Forum CSV export could result in posts from all courses being exported

от Michael Hawkins -

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Daniel Konrad
Workaround: Remove the Export Forum (mod/forum:exportforum) capability from non-admin roles/users until the patch has been applied.
CVE identifier: CVE-2021-32472
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359
Tracker issue: MDL-71359 Forum CSV export could result in posts from all courses being exported
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities (upstream)

от Michael Hawkins -

The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Mike Henry
CVE identifiers: CVE-2020-11022 and CVE-2020-11023
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69680
Tracker issue: MDL-69680 JQuery versions below 3.5.0 contains some potential vulnerabilities
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course

от Michael Hawkins -

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Paul Holden
CVE identifier: CVE-2021-20283
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822
Tracker issue: MDL-70822 Fetching a user's enrolled courses via web services did not check profile access in each course
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0009: Bypass email verification secret when confirming account registration

от Michael Hawkins -

When creating a user account, it was possible to verify the account without having access to the verification email link/secret.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Bandjes
CVE identifier: CVE-2021-20282
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70668
Tracker issue: MDL-70668 Bypass email verification secret when confirming account registration
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0008: User full name disclosure within online users block

от Michael Hawkins -

It was possible for some users without permission to view other users' full names to do so via the online users block.


Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Ankit Agarwal
Workaround: Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied.
CVE identifier: CVE-2021-20281
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293
Tracker issue: MDL-59293 User full name disclosure within online users block
Обсудить эту тему  (Пока 0 ответов)

MSA-21-0007: Stored XSS and blind SSRF possible via feedback answer text

от Michael Hawkins -

Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks.


Severity/Risk: Serious
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Holme and Rekter0
CVE identifier: CVE-2021-20280
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70767
Tracker issue: MDL-70767 Stored XSS and blind SSRF possible via feedback answer text
Обсудить эту тему  (Пока 0 ответов)