Security announcements

MSA-24-0025: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

by Michael Hawkins -

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Juan Leyva
CVE identifier: CVE-2024-38277
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959
Tracker issue: MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys

MSA-24-0024: CSRF risks due to misuse of confirm_sesskey

by Michael Hawkins -

Incorrect CSRF token checks resulted in multiple CSRF risks.

Severity/Risk: Serious
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-38276
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890
Tracker issue: MDL-81890 CSRF risks due to misuse of confirm_sesskey

MSA-24-0023: HTTP authorization header is preserved between "emulated redirects"

by Michael Hawkins -

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: cameron1729
CVE identifier: CVE-2024-38275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774
Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects"

MSA-24-0022: Stored XSS via calendar's event title when deleting the event

by Michael Hawkins -

Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Meirza
CVE identifier: CVE-2024-38274
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412
Tracker issue: MDL-81412 Stored XSS via calendar's event title when deleting the event

MSA-24-0021: BigBlueButton web service leaks meeting joining information to users who should not have access

by Michael Hawkins -

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Severity/Risk: Minor
Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions
Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11
Reported by: Paul Holden
CVE identifier: CVE-2024-38273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778
Tracker issue: MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access

MSA-24-0020: ReCAPTCHA can be bypassed on the login page

by Michael Hawkins -

Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: caglaroflazoglu
CVE identifier: CVE-2024-34009
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Tracker issue: MDL-81463 ReCAPTCHA can be bypassed on the login page

MSA-24-0019: CSRF risk in analytics management of models

by Michael Hawkins -

Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34008
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Tracker issue: MDL-81059 CSRF risk in analytics management of models

MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php

by Michael Hawkins -

The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-34007
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Tracker issue: MDL-80877 Logout CSRF in admin/tool/mfa/auth.php

MSA-24-0017: Unsanitized HTML in site log for config_log_created

by Michael Hawkins -

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Leon Stringer
CVE identifier: CVE-2024-34006
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Tracker issue: MDL-80585 Unsanitized HTML in site log for config_log_created

MSA-24-0016: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34005
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81267
Tracker issue: MDL-81267 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup