Security announcements

MSA-24-0039: IDOR in Feedback non-respondents report allows messaging arbitrary site users

от Michael Hawkins -

Bulk messaging in the Feedback activity's non-respondents report did not verify message recipients belong to the set of users returned by the report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43438
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82261
Tracker issue: MDL-82261 IDOR in Feedback non-respondents report allows messaging arbitrary site users
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0038: XSS risk when restoring malicious course backup file

от Michael Hawkins -

Insufficient sanitizing of data when performing a restore could result in an XSS risk from malicious backup files.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Adam Chovanec
CVE identifier: CVE-2024-43437
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81394
Tracker issue: MDL-81394 XSS risk when restoring malicious course backup file
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0037: Site administration SQL injection via XMLDB editor

от Michael Hawkins -

An SQL injection risk was identified in the XMLDB editor tool available to site administrators

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TaiYou
CVE identifier: CVE-2024-43436
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82395
Tracker issue: MDL-82395 Site administration SQL injection via XMLDB editor
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0036: Can create global glossary without being admin

от Michael Hawkins -

Insufficient capability checks made it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Robert Schrenk
CVE identifier: CVE-2024-43435
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64984
Tracker issue: MDL-64984 Can create global glossary without being admin
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0035: CSRF risk in Feedback non-respondents report

от Michael Hawkins -

The bulk message sending feature for the Feedback module's non-respondents report had an incorrect CSRF token check, resulting in a CSRF risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43434
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82262
Tracker issue: MDL-82262 CSRF risk in Feedback non-respondents report
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0034: Matrix user/power level management not always working as expected with suspended users

от Michael Hawkins -

Matrix room membership and power levels were not correctly applied/revoked for suspended Moodle users

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1 and 4.3 to 4.3.5
Versions fixed: 4.4.2, 4.3.6
Reported by: Michael Hawkins
Workaround: Manually manage suspended users within Matrix (as a moderator/admin), until the patch is applied.
CVE identifier: CVE-2024-43433
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81951
Tracker issue: MDL-81951 Matrix user/power level management not always working as expected with suspended users
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0033: Authorization headers preserved between "emulated redirects"

от Michael Hawkins -

The cURL wrapper in Moodle stripped HTTPAUTH and USERPWD headers during emulated redirects, but retained other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Marina Glancy
CVE identifier: CVE-2024-43432
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136
Tracker issue: MDL-82136 Authorization headers preserved between "emulated redirects"
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0032: IDOR in badges allows deletion of arbitrary badges

от Michael Hawkins -

Insufficient capability checks made it possible to delete badges a user does not have permission to access.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43431
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82390
Tracker issue: MDL-82390 IDOR in badges allows deletion of arbitrary badges
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0031: Lack of access control when using external methods for Quiz overrides

от Michael Hawkins -

External API access to Quiz overrides contained insufficient access control.

Severity/Risk: Minor
Versions affected: 4.4 and 4.4.1
Versions fixed: 4.4.2
Reported by: Paul Holden
CVE identifier: CVE-2024-43430
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82633
Tracker issue: MDL-82633 Lack of access control when using external methods for Quiz overrides
Обсудить эту тему  (Пока 0 ответов)

MSA-24-0030: User information visibility control issues in gradebook reports

от Michael Hawkins -

Some hidden user profile fields were visible in gradebook reports, which could result in some users without the "view hidden user fields" capability having access to the information.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Stefan Wilhelm
CVE identifier: CVE-2024-43429
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79541
Tracker issue: MDL-79541 User information visibility control issues in gradebook reports
Обсудить эту тему  (Пока 0 ответов)