Security announcements

MSA-24-0023: HTTP authorization header is preserved between "emulated redirects"

by Michael Hawkins -

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: cameron1729
CVE identifier: CVE-2024-38275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774
Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects"
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0022: Stored XSS via calendar's event title when deleting the event

by Michael Hawkins -

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Meirza
CVE identifier: CVE-2024-38274
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412
Tracker issue: MDL-81412 Stored XSS via calendar's event title when deleting the event
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0021: BigBlueButton web service leaks meeting joining information to users who should not have access

by Michael Hawkins -

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Paul Holden
CVE identifier: CVE-2024-38273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778
Tracker issue: MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0020: ReCAPTCHA can be bypassed on the login page

by Michael Hawkins -

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: caglaroflazoglu
CVE identifier: CVE-2024-34009
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Tracker issue: MDL-81463 ReCAPTCHA can be bypassed on the login page
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0019: CSRF risk in analytics management of models

by Michael Hawkins -

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34008
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Tracker issue: MDL-81059 CSRF risk in analytics management of models
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php

by Michael Hawkins -

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-34007
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Tracker issue: MDL-80877 Logout CSRF in admin/tool/mfa/auth.php
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0017: Unsanitized HTML in site log for config_log_created

by Michael Hawkins -

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Leon Stringer
CVE identifier: CVE-2024-34006
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Tracker issue: MDL-80585 Unsanitized HTML in site log for config_log_created
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0016: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34005
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81267
Tracker issue: MDL-81267 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0015: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34004
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81284
Tracker issue: MDL-81284 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)

MSA-24-0014: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34003
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80712
Tracker issue: MDL-80712 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup
இத்தலைப்பில் கலந்துரையாடவும்.  (இதுவரை 0 பதில்கள்)