Security announcements

MSA-23-0038: Stored XSS in quiz grading report via user ID number

by Michael Hawkins -

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Paul Holden
CVE identifier: CVE-2023-5546
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78971
Tracker issue: MDL-78971 Stored XSS in quiz grading report via user ID number

MSA-23-0037: Auto-populated H5P author name causes a potential information leak

by Michael Hawkins -

H5P metadata automatically populated the author with the user's username, which could be sensitive information.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Josh Manders
CVE identifier: CVE-2023-5545
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820
Tracker issue: MDL-78820 Auto-populated H5P author name causes a potential information leak

MSA-23-0036: Stored XSS and potential IDOR risk in Wiki comments

by Michael Hawkins -

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: h1w0rld
CVE identifier: CVE-2023-5544
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509
Tracker issue: MDL-79509 Stored XSS and potential IDOR risk in Wiki comments

MSA-23-0035: Duplicating a BigBlueButton activity assigns the same meeting ID

by Michael Hawkins -

When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10
Versions fixed: 4.2.3, 4.1.6 and 4.0.11
Reported by: Lionel Caylat
Workaround: Manually create a fresh BigBlueButton activity instead of duplicating, until the patch has been applied.
CVE identifier: CVE-2023-5543
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795
Tracker issue: MDL-77795 Duplicating a BigBlueButton activity assigns the same meeting ID

MSA-23-0034: Students could see other students in "Only see own membership" groups

by Michael Hawkins -

Students in "Only see own membership" groups could see other students in the group, which should be hidden.


Severity/Risk: Minor
Versions affected: 4.2.2
Versions fixed: 4.2.3
Reported by: Eliot
CVE identifier: CVE-2023-5542
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213
Tracker issue: MDL-79213 Students could see other students in "Only see own membership" groups

MSA-23-0033: XSS risk when using CSV grade import method

by Michael Hawkins -

The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Attilio Ferrari
Workaround: Verify the contents and trustworthiness of grade spreadsheets before importing them.
CVE identifier: CVE-2023-5541
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79426
Tracker issue: MDL-79426 XSS risk when using CSV grade import method

MSA-23-0032: Authenticated remote code execution risk in IMSCP

by Michael Hawkins -

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-5540
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409
Tracker issue: MDL-79409 Authenticated remote code execution risk in IMSCP

MSA-23-0031: Authenticated remote code execution risk in Lesson

by Michael Hawkins -

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.


Severity/Risk: Serious
Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions
Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2023-5539
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408
Tracker issue: MDL-79408 Authenticated remote code execution risk in Lesson

MSA-23-0030: Quiz sequential navigation bypass possible

by Michael Hawkins -

Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Abhijit A M
CVE identifier: CVE-2023-40325
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728
Tracker issue: MDL-71728 Quiz sequential navigation bypass possible

MSA-23-0029: Competency framework tools are not restricted as intended

by Michael Hawkins -

Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.


Severity/Risk: Minor
Versions affected: 4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versions
Versions fixed: 4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23
Reported by: Michael Hawkins
CVE identifier: CVE-2023-40324
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66212
Tracker issue: MDL-66212 Competency framework tools are not restricted as intended