Security announcements

MSA-24-0031: Lack of access control when using external methods for Quiz overrides

by Michael Hawkins -

External API access to Quiz overrides contained insufficient access control.

Severity/Risk: Minor
Versions affected: 4.4 and 4.4.1
Versions fixed: 4.4.2
Reported by: Paul Holden
CVE identifier: CVE-2024-43430
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82633
Tracker issue: MDL-82633 Lack of access control when using external methods for Quiz overrides

MSA-24-0030: User information visibility control issues in gradebook reports

by Michael Hawkins -

Some hidden user profile fields were visible in gradebook reports, which could result in some users without the "view hidden user fields" capability having access to the information.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Stefan Wilhelm
CVE identifier: CVE-2024-43429
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79541
Tracker issue: MDL-79541 User information visibility control issues in gradebook reports

MSA-24-0029: Cache poisoning via injection into storage

by Michael Hawkins -

Additional localstorage validation was required to mitigate a cache poisoning risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Andrew Lyons
CVE identifier: CVE-2024-43428
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81718
Tracker issue: MDL-81718 Cache poisoning via injection into storage

MSA-24-0028: Admin presets export tool includes some secrets that should not be exported

by Michael Hawkins -

When creating an export of site administration presets, some sensitive secrets/keys were not being excluded from the export, which could result in them being unintentionally leaked if the presets were shared with a third party.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
Workaround: Avoid exporting or distributing admin presets until the patch is applied.
CVE identifier: CVE-2024-43427
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79373
Tracker issue: MDL-79373 Admin presets export tool includes some secrets that should not be exported

MSA-24-0027: Arbitrary file read risk through pdfTeX

by Michael Hawkins -

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TaiYou
Workaround: Disable the TeX filter until the patch is applied.
CVE identifier: CVE-2024-43426
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82745
Tracker issue: MDL-82745 Arbitrary file read risk through pdfTeX

MSA-24-0026: Remote code execution via calculated question types

by Michael Hawkins -

Additional restrictions were required to avoid a remote code execution risk in calculated question types. (Note: This required the capability to add/update questions.)

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: RedTeam Pentesting GmbH
CVE identifier: CVE-2024-43425
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82576
Tracker issue: MDL-82576 Remote code execution via calculated question types

JavaScript “Pollykill” Vulnerability

by Matt Porritt -

Hi All,

Some of you may have seen from various outlets that a vulnerability has been identified in the “polyfill.js” library and particularly the hosted version of that library (cdn.polyfill.io). This is a popular open source library that is used in many sites to add various javascript support features to older web browsers. 

In light of this new vulnerability we have conducted a review of our Moodle products, associated moodle.org and moodle.com sites as well as our Moodle Cloud sites. We can confirm that our systems are not affected by this issue. We do not use this library in our product codebase or in the code of our company sites.

As a point of clarification the Moodle LMS codebase does include a file named `polyfill.js`, which might raise concerns due to the similarity in names. However, we assure you that this file is entirely unrelated to the vulnerability identified, and is just a coincidence.

We take security very seriously. Our team continuously monitors for new threats and vulnerabilities, ensuring that our products remain secure and reliable. We have robust processes in place to assess and mitigate any potential risks swiftly and effectively.

More information on this exploit can be found at https://polykill.io/ and this Sansec article provides a good overview.

Kind Regards,
Matt Porritt
Head of Platform Solutions.

MSA-24-0025: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

by Michael Hawkins -

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Juan Leyva
CVE identifier: CVE-2024-38277
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959
Tracker issue: MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

MSA-24-0024: CSRF risks due to misuse of confirm_sesskey

by Michael Hawkins -

Incorrect CSRF token checks resulted in multiple CSRF risks.

Severity/Risk: Serious
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-38276
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890
Tracker issue: MDL-81890 CSRF risks due to misuse of confirm_sesskey

MSA-24-0023: HTTP authorization header is preserved between "emulated redirects"

by Michael Hawkins -

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: cameron1729
CVE identifier: CVE-2024-38275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774
Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects"