Security announcements

MSA-24-0052: Tag index page displays other users tagged with the selected tag

autor Michael Hawkins -

Insufficient checks meant users could see users tagged with a tag, regardless of whether they had access to view the users' profiles.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Frederik Milling Pytlick
CVE identifier: CVE-2024-55644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82963
Tracker issue: MDL-82963 Tag index page displays other users tagged with the selected tag
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0051: Unprotected access to sensitive information via learning plan web service

autor Michael Hawkins -

Insufficient capability checks in a learning plan web service could result in users having the ability to retrieve information they did not have permission to access (such as users' names).

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: lUcgryy
CVE identifier: CVE-2024-55643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83921
Tracker issue: MDL-83921 Unprotected access to sensitive information via learning plan web service
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0050: IDOR when fetching report schedules

autor Michael Hawkins -

Additional checks were required to ensure users can only access the schedule of a report if they have permission to edit that report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48901
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83180
Tracker issue: MDL-83180 IDOR when fetching report schedules
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0049: IDOR when accessing list of badge recipients

autor Michael Hawkins -

Additional checks were required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48900
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83178
Tracker issue: MDL-83178 IDOR when accessing list of badge recipients
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0048: IDOR when accessing list of course badges

autor Michael Hawkins -

Additional checks were required to ensure users can only fetch the list of course badges for courses they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48899
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83179
Tracker issue: MDL-83179 IDOR when accessing list of course badges
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0047: Some users can delete audiences of other reports

autor Michael Hawkins -

Users with access to delete audiences from some reports could delete audiences from other reports they did not have permission to delete from.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48898
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83181
Tracker issue: MDL-83181 Some users can delete audiences of other reports
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0046: IDOR in edit/delete RSS feed

autor Michael Hawkins -

Additional checks were required to ensure users can only edit or delete RSS feeds they have permission to modify.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Paul Holden
CVE identifier: CVE-2024-48897
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82386
Tracker issue: MDL-82386 IDOR in edit/delete RSS feed
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0045: Users' names returned in messaging error message

autor Michael Hawkins -

It was possible for users with the "send message" capability to view other users' names they may not otherwise have access to, via an error message in Messaging. (Note: The name returned followed the full name format configured on the site).

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Bruno Kirschner (Recurity Labs)
CVE identifier: CVE-2024-48896
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83352
Tracker issue: MDL-83352 Users' names returned in messaging error message
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0044: Lesson activity password bypass through PHP loose comparison

autor Michael Hawkins -

When restricting access to a Lesson activity with a password, certain passwords could be bypassed/less secure due to a loose comparison in the password checking logic.

Note: this only affected passwords that are set to "magic hash" values. These are certain values where a loose comparison in the code can result in multiple values "matching" the password, instead of the expected behaviour that only an exact match for the password will be accepted.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: TaiYou
Workaround: Avoid using passwords which are considered to be a "magic hash" value (such as those beginning with "0e" followed by digits).
CVE identifier: CVE-2024-45691
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82365
Tracker issue: MDL-82365 Lesson activity password bypass through PHP loose comparison
Diskutovať na túto tému  (0 odpovedí zatiaľ)

MSA-24-0043: IDOR when deleting OAuth2 linked accounts

autor Michael Hawkins -

Additional checks were required to ensure users can only delete their own OAuth2 linked accounts.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: Trevor McCready
CVE identifier: CVE-2024-45690
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76962
Tracker issue: MDL-76962 IDOR when deleting OAuth2 linked accounts
Diskutovať na túto tému  (0 odpovedí zatiaľ)