Incorrect CSRF token checks resulted in multiple CSRF risks.
| Severity/Risk: | Serious |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2024-38276 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890 |
| Tracker issue: | MDL-81890 CSRF risks due to misuse of confirm_sesskey |
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | cameron1729 |
| CVE identifier: | CVE-2024-38275 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774 |
| Tracker issue: | MDL-81774 HTTP authorization header is preserved between "emulated redirects" |
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Meirza |
| CVE identifier: | CVE-2024-38274 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412 |
| Tracker issue: | MDL-81412 Stored XSS via calendar's event title when deleting the event |
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.
| Severity/Risk: | Minor |
| Versions affected: | 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions |
| Versions fixed: | 4.4.1, 4.3.5, 4.2.8 and 4.1.11 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2024-38273 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778 |
| Tracker issue: | MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access |
Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.3 |
| Versions fixed: | 4.3.4 |
| Reported by: | caglaroflazoglu |
| CVE identifier: | CVE-2024-34009 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463 |
| Tracker issue: | MDL-81463 ReCAPTCHA can be bypassed on the login page |
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2024-34008 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059 |
| Tracker issue: | MDL-81059 CSRF risk in analytics management of models |
The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.
| Severity/Risk: | Minor |
| Versions affected: | 4.3 to 4.3.3 |
| Versions fixed: | 4.3.4 |
| Reported by: | Petr Skoda |
| CVE identifier: | CVE-2024-34007 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877 |
| Tracker issue: | MDL-80877 Logout CSRF in admin/tool/mfa/auth.php |
The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.
| Severity/Risk: | Minor |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | Leon Stringer |
| CVE identifier: | CVE-2024-34006 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585 |
| Tracker issue: | MDL-80585 Unsanitized HTML in site log for config_log_created |
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2024-34005 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81267 |
| Tracker issue: | MDL-81267 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup |
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.
| Severity/Risk: | Serious |
| Versions affected: | 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions |
| Versions fixed: | 4.3.4, 4.2.7 and 4.1.10 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2024-34004 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81284 |
| Tracker issue: | MDL-81284 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup |