Security announcements

MSA-23-0019: Proxy bypass risk due to insufficient validation

by Michael Hawkins -

Incorrect domain matching logic made it possible to bypass the proxy, which could result in access to hosts intended to be blocked by the proxy.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Brendan Heywood
Workaround: Add hosts blocked within the proxy to the Moodle cURL blocked hosts configuration if possible, until the patch is applied.
CVE identifier: CVE-2023-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74289
Tracker issue: MDL-74289 Proxy bypass risk due to insufficient validation
Discuss this topic  (0 replies so far)

MSA-23-0018: SSRF risk due to insufficient check on the cURL blocked hosts list

by Michael Hawkins -

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk.


Severity/Risk: Serious
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Mateo Hanžek
CVE identifier: CVE-2023-35133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215
Tracker issue: MDL-78215 SSRF risk due to insufficient check on the cURL blocked hosts list
Discuss this topic  (0 replies so far)

MSA-23-0017: Minor SQL injection risk on Mnet SSO access control page

by Michael Hawkins -

A limited SQL injection risk was identified on the Mnet SSO access control page.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions
Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22
Reported by: Paul Holden
CVE identifier: CVE-2023-35132
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193
Tracker issue: MDL-77193 Minor SQL injection risk on Mnet SSO access control page
Discuss this topic  (0 replies so far)

MSA-23-0016: XSS risk on groups page

by Michael Hawkins -

Content on the groups page required additional sanitizing to prevent an XSS risk.


Severity/Risk: Minor
Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14
Versions fixed: 4.2.1, 4.1.4, 4.0.9 and 3.11.15
Reported by: Petr Skoda
CVE identifier: CVE-2023-35131
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76683
Tracker issue: MDL-76683 XSS risk on groups page
Discuss this topic  (0 replies so far)

MSA-23-0015: Minor SQL injection risk in external Wiki method for listing pages

by Michael Hawkins -

A limited SQL injection risk was identified in functionality used by the Wiki activity when listing pages.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13, 3.9 to 3.9.20 and earlier unsupported versions
Versions fixed: 4.1.3, 4.0.8, 3.11.14 and 3.9.21
Reported by: Paul Holden
CVE identifier: CVE-2023-30944
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187
Tracker issue: MDL-77187 Minor SQL injection risk in external Wiki method for listing pages
Discuss this topic  (0 replies so far)

MSA-23-0014: TinyMCE loaders susceptible to Arbitrary Folder Creation

by Michael Hawkins -

Insufficient sanitizing of loaders used by TinyMCE resulted in an arbitrary folder creation risk.


Severity/Risk: Serious
Versions affected: 4.1 to 4.1.2
Versions fixed: 4.1.3
Reported by: Yaniv Nizry (SonarSource)
CVE identifier: CVE-2023-30943
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
Tracker issue: MDL-77718 TinyMCE loaders susceptible to Arbitrary Folder Creation
Discuss this topic  (0 replies so far)

MSA-23-0013: XSS risk in TinyMCE alerts (upstream)

by Michael Hawkins -

The TinyMCE editor included with Moodle required a security patch to be applied to fix an XSS risk.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1
Versions fixed: 4.1.2
Reported by: Andrew Lyons
CVE identifier: CVE-2022-23494
Changes (master): N/A
Tracker issue: MDL-77470 XSS risk in TinyMCE alerts (upstream)
Discuss this topic  (0 replies so far)

MSA-23-0012: Course participation report shows roles the user should not see

by Michael Hawkins -

The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: Chris Pratt
CVE identifier: CVE-2023-1402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75517
Tracker issue: MDL-75517 Course participation report shows roles the user should not see
Discuss this topic  (0 replies so far)

MSA-23-0011: Teacher can access names of users they do not have permission to access

by Michael Hawkins -

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions
Versions fixed: 4.1.2, 4.0.7, 3.11.13 and 3.9.20
Reported by: DegrangeM
CVE identifier: CVE-2023-28336
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76809
Tracker issue: MDL-76809 Teacher can access names of users they do not have permission to access
Discuss this topic  (0 replies so far)

MSA-23-0010: CSRF risk in resetting all templates of a database activity

by Michael Hawkins -

The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.


Severity/Risk: Minor
Versions affected: 4.1 to 4.1.1
Versions fixed: 4.1.2
Reported by: DegrangeM
CVE identifier: CVE-2023-28335
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77008
Tracker issue: MDL-77008 CSRF risk in resetting all templates of a database activity
Discuss this topic  (0 replies so far)