Security announcements

MSA-24-0038: XSS risk when restoring malicious course backup file

by Michael Hawkins -

Insufficient sanitizing of data when performing a restore could result in an XSS risk from malicious backup files.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Adam Chovanec
CVE identifier: CVE-2024-43437
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81394
Tracker issue: MDL-81394 XSS risk when restoring malicious course backup file

MSA-24-0037: Site administration SQL injection via XMLDB editor

by Michael Hawkins -

An SQL injection risk was identified in the XMLDB editor tool available to site administrators

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TaiYou
CVE identifier: CVE-2024-43436
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82395
Tracker issue: MDL-82395 Site administration SQL injection via XMLDB editor

MSA-24-0036: Can create global glossary without being admin

by Michael Hawkins -

Insufficient capability checks made it possible for users with access to restore glossaries in courses to restore them into the global site glossary.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Robert Schrenk
CVE identifier: CVE-2024-43435
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64984
Tracker issue: MDL-64984 Can create global glossary without being admin

MSA-24-0035: CSRF risk in Feedback non-respondents report

by Michael Hawkins -

The bulk message sending feature for the Feedback module's non-respondents report had an incorrect CSRF token check, resulting in a CSRF risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43434
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82262
Tracker issue: MDL-82262 CSRF risk in Feedback non-respondents report

MSA-24-0034: Matrix user/power level management not always working as expected with suspended users

by Michael Hawkins -

Matrix room membership and power levels were not correctly applied/revoked for suspended Moodle users

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1 and 4.3 to 4.3.5
Versions fixed: 4.4.2, 4.3.6
Reported by: Michael Hawkins
Workaround: Manually manage suspended users within Matrix (as a moderator/admin), until the patch is applied.
CVE identifier: CVE-2024-43433
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81951
Tracker issue: MDL-81951 Matrix user/power level management not always working as expected with suspended users

MSA-24-0033: Authorization headers preserved between "emulated redirects"

by Michael Hawkins -

The cURL wrapper in Moodle stripped HTTPAUTH and USERPWD headers during emulated redirects, but retained other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Marina Glancy
CVE identifier: CVE-2024-43432
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136
Tracker issue: MDL-82136 Authorization headers preserved between "emulated redirects"

MSA-24-0032: IDOR in badges allows deletion of arbitrary badges

by Michael Hawkins -

Insufficient capability checks made it possible to delete badges a user does not have permission to access.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43431
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82390
Tracker issue: MDL-82390 IDOR in badges allows deletion of arbitrary badges

MSA-24-0031: Lack of access control when using external methods for Quiz overrides

by Michael Hawkins -

External API access to Quiz overrides contained insufficient access control.

Severity/Risk: Minor
Versions affected: 4.4 and 4.4.1
Versions fixed: 4.4.2
Reported by: Paul Holden
CVE identifier: CVE-2024-43430
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82633
Tracker issue: MDL-82633 Lack of access control when using external methods for Quiz overrides

MSA-24-0030: User information visibility control issues in gradebook reports

by Michael Hawkins -

Some hidden user profile fields were visible in gradebook reports, which could result in some users without the "view hidden user fields" capability having access to the information.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Stefan Wilhelm
CVE identifier: CVE-2024-43429
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79541
Tracker issue: MDL-79541 User information visibility control issues in gradebook reports

MSA-24-0029: Cache poisoning via injection into storage

by Michael Hawkins -

Additional localstorage validation was required to mitigate a cache poisoning risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Andrew Lyons
CVE identifier: CVE-2024-43428
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81718
Tracker issue: MDL-81718 Cache poisoning via injection into storage