ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 |
| Versions fixed: | 3.11.1 |
| Reported by: | Marina Glancy |
| CVE identifier: | CVE-2021-36398 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71760 |
| Tracker issue: | MDL-71760 Stored XSS in the web service token list via user ID number |
Insufficient capability checks meant message deletions were not limited to the current user.
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-36397 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71917 |
| Tracker issue: | MDL-71917 Messaging web service allows deletion of other users' messages |
Insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. (Note: The request response was still blocked and not available to the user.)
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | Rekter0 and Holme |
| CVE identifier: | CVE-2021-36396 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71916 |
| Tracker issue: | MDL-71916 Blind SSRF possible against cURL blocked hosts via redirect |
The file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-36395 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71922 |
| Tracker issue: | MDL-71922 Recursion denial of service possible due to recursive cURL in file repository |
A remote code execution risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | Robin Peraglie and Johannes Moritz |
| CVE identifier: | CVE-2021-36394 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71957 |
| Tracker issue: | MDL-71957 Remote code execution risk when Shibboleth authentication is enabled |
An SQL injection risk was identified in the library fetching a user's recent courses
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-36393 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71242 |
| Tracker issue: | MDL-71242 SQL injection risk in code fetching recent courses |
An SQL injection risk was identified in the library fetching a user's enrolled courses
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | ldesignmedia |
| CVE identifier: | CVE-2021-36392 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71241 |
| Tracker issue: | MDL-71241 SQL injection risk in code fetching enrolled courses |
The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Sara Arjona |
| CVE identifier: | N/A |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71408 |
| Tracker issue: | MDL-71408 Upgrade H5P PHP library to latest minor version (upstream) |
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Jordan Tomkinson |
| CVE identifier: | CVE-2021-32478 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622 |
| Tracker issue: | MDL-70622 Reflected XSS and open redirect in LTI authorization endpoint |
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default).
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3 |
| Versions fixed: | 3.11 and 3.10.4 |
| Reported by: | Strifel |
| CVE identifier: | CVE-2021-32477 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71513 |
| Tracker issue: | MDL-71513 Last app access time is visible to non-site-admins on user profile page |