Security announcements

MSA-22-0021: Upgrade Mustache to latest version (upstream)

by Michael Hawkins -

The Mustache template library included with Moodle has been upgraded to the latest version, which includes a fix for a serious security issue.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions
Versions fixed: 4.0.3, 3.11.9 and 3.9.16
Reported by: Lars Bonczek
CVE identifier: CVE-2022-0323
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75388
Tracker issue: MDL-75388 Upgrade Mustache to latest version (upstream)
Discuss this topic  (0 replies so far)

MSA-22-0020: Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)

by Michael Hawkins -

The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.


Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade.
Severity/Risk: Minor
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Ilya Tregubov
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74473
Tracker issue: MDL-74473 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)
Discuss this topic  (0 replies so far)

MSA-22-0019: LTI module reflected XSS risk - affecting unauthenticated users only

by Michael Hawkins -

A minor reflected XSS risk was identified in the LTI module. This did not impact authenticated users.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Luuk Verhoeven
CVE identifier: CVE-2022-35653
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72299
Tracker issue: MDL-72299 LTI module reflected XSS risk - affecting unauthenticated users only
Discuss this topic  (0 replies so far)

MSA-22-0018: Open redirect risk in mobile auto-login feature

by Michael Hawkins -

The mobile auto-login URL required additional sanitizing to prevent an open redirect risk.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: petermaster
CVE identifier: CVE-2022-35652
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72171
Tracker issue: MDL-72171 Open redirect risk in mobile auto-login feature
Discuss this topic  (0 replies so far)

MSA-22-0017: Stored XSS and blind SSRF possible via SCORM track details

by Michael Hawkins -

Insufficient sanitizing of SCORM track details presented stored XSS and blind SSRF risks.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Rekter0
CVE identifier: CVE-2022-35651
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71921
Tracker issue: MDL-71921 Stored XSS and blind SSRF possible via SCORM track details
Discuss this topic  (0 replies so far)

MSA-22-0016: Arbitrary file read when importing lesson questions

by Michael Hawkins -

Insufficient path checks in a lesson question import resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: loknop
CVE identifier: CVE-2022-35650
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72029
Tracker issue: MDL-72029 Arbitrary file read when importing lesson questions
Discuss this topic  (0 replies so far)

MSA-22-0015: PostScript Code Injection / Remote code execution risk

by Michael Hawkins -

An omitted execution parameter resulted in a remote code execution risk for sites running GhostScript versions older than 9.50.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.1, 3.11 to 3.11.7, 3.9 to 3.9.14 and earlier unsupported versions
Versions fixed: 4.0.2, 3.11.8 and 3.9.15
Reported by: Nick Wojciechowski, CyberCX
Workaround: Ensure older versions of GhostScript are upgraded to 9.50 or newer.
CVE identifier: CVE-2022-35649
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75044
Tracker issue: MDL-75044 PostScript Code Injection / Remote code execution risk
Discuss this topic  (0 replies so far)

MSA-22-0014: Failed login attempts counted incorrectly

by Michael Hawkins -

An issue in the logic used to count failed login attempts could result in the account lockout threshold being bypassed.


Severity/Risk: Serious
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Shamim Rezaie
CVE identifier: CVE-2022-30600
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-73736
Tracker issue: MDL-73736 Failed login attempts counted incorrectly
Discuss this topic  (0 replies so far)

MSA-22-0013: SQL injection risk in badge award criteria

by Michael Hawkins -

An SQL injection risk was identified in Badges code relating to configuring criteria.

NOTE: in Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, access to this vulnerability was available to site administrators only. In earlier versions, access to the relevant capability was also limited to teachers and managers by default.


Severity/Risk: Serious
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Michael Dunstan
Workaround: In versions earlier than Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, remove the moodle/badges:configurecriteria capability from users to prevent them accessing the affected functionality until the patch is applied (in newer versions this is not necessary).
CVE identifier: CVE-2022-30599
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74333
Tracker issue: MDL-74333 SQL injection risk in badge award criteria
Discuss this topic  (0 replies so far)

MSA-22-0012: Global search results reveal authors of content unexpectedly for some activities

by Michael Hawkins -

Global search results could include author information on some activities where a user may not otherwise have access to it.


Severity/Risk: Minor
Versions affected: 4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versions
Versions fixed: 4.0.1, 3.11.7, 3.10.11 and 3.9.14
Reported by: Catalina
CVE identifier: CVE-2022-30598
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71623
Tracker issue: MDL-71623 Global search results reveal authors of content unexpectedly for some activities
Discuss this topic  (0 replies so far)