Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.2 and 3.11 to 3.11.8 |
| Versions fixed: | 4.0.3 and 3.11.9 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2022-2986 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326 |
| Tracker issue: | MDL-75326 CSRF risk in enabling/disabling installed H5P libraries |
The Mustache template library included with Moodle has been upgraded to the latest version, which includes a fix for a serious security issue.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions |
| Versions fixed: | 4.0.3, 3.11.9 and 3.9.16 |
| Reported by: | Lars Bonczek |
| CVE identifier: | CVE-2022-0323 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75388 |
| Tracker issue: | MDL-75388 Upgrade Mustache to latest version (upstream) |
The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.
| Please note: | If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade. |
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Ilya Tregubov |
| CVE identifier: | N/A |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74473 |
| Tracker issue: | MDL-74473 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream) |
A minor reflected XSS risk was identified in the LTI module. This did not impact authenticated users.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Luuk Verhoeven |
| CVE identifier: | CVE-2022-35653 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299 |
| Tracker issue: | MDL-72299 LTI module reflected XSS risk - affecting unauthenticated users only |
The mobile auto-login URL required additional sanitizing to prevent an open redirect risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | petermaster |
| CVE identifier: | CVE-2022-35652 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171 |
| Tracker issue: | MDL-72171 Open redirect risk in mobile auto-login feature |
Insufficient sanitizing of SCORM track details presented stored XSS and blind SSRF risks.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Rekter0 |
| CVE identifier: | CVE-2022-35651 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921 |
| Tracker issue: | MDL-71921 Stored XSS and blind SSRF possible via SCORM track details |
Insufficient path checks in a lesson question import resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | loknop |
| CVE identifier: | CVE-2022-35650 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029 |
| Tracker issue: | MDL-72029 Arbitrary file read when importing lesson questions |
An omitted execution parameter resulted in a remote code execution risk for sites running GhostScript versions older than 9.50.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions |
| Versions fixed: | 4.0.2, 3.11.8 and 3.9.15 |
| Reported by: | Nick Wojciechowski, CyberCX |
| Workaround: | Ensure older versions of GhostScript are upgraded to 9.50 or newer. |
| CVE identifier: | CVE-2022-35649 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75044 |
| Tracker issue: | MDL-75044 PostScript Code Injection / Remote code execution risk |
An issue in the logic used to count failed login attempts could result in the account lockout threshold being bypassed.
| Severity/Risk: | Serious |
| Versions affected: | 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions |
| Versions fixed: | 4.0.1, 3.11.7, 3.10.11 and 3.9.14 |
| Reported by: | Shamim Rezaie |
| CVE identifier: | CVE-2022-30600 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-73736 |
| Tracker issue: | MDL-73736 Failed login attempts counted incorrectly |
An SQL injection risk was identified in Badges code relating to configuring criteria.
NOTE: in Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, access to this vulnerability was available to site administrators only. In earlier versions, access to the relevant capability was also limited to teachers and managers by default.
| Severity/Risk: | Serious |
| Versions affected: | 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions |
| Versions fixed: | 4.0.1, 3.11.7, 3.10.11 and 3.9.14 |
| Reported by: | Michael Dunstan |
| Workaround: | In versions earlier than Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied (in newer versions this is not necessary). |
| CVE identifier: | CVE-2022-30599 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74333 |
| Tracker issue: | MDL-74333 SQL injection risk in badge award criteria |