Security announcements

MSA-24-0015: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34004
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81284
Tracker issue: MDL-81284 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup

MSA-24-0014: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34003
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80712
Tracker issue: MDL-80712 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup

MSA-24-0013: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

by Michael Hawkins -

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server outside of the Moodle webroot could execute a local file include.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-34002
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81135
Tracker issue: MDL-81135 Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup

MSA-24-0012: CSRF risk in admin preset tool management of presets

by Michael Hawkins -

Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34001
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81058
Tracker issue: MDL-81058 CSRF risk in admin preset tool management of presets

MSA-24-0011: Stored XSS in lesson overview report via user ID number

by Michael Hawkins -

ID numbers displayed in the lesson overview report required additional sanitizing to prevent a stored XSS risk.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Paul Holden
CVE identifier: CVE-2024-34000
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81062
Tracker issue: MDL-81062 Stored XSS in lesson overview report via user ID number

MSA-24-0010: Unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

by Michael Hawkins -

The referrer URL used by MFA required additional sanitizing, rather than being used directly.

Severity/Risk: Minor
Versions affected: 4.3 to 4.3.3
Versions fixed: 4.3.4
Reported by: Petr Skoda
CVE identifier: CVE-2024-33999
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80878
Tracker issue: MDL-80878 Unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

MSA-24-0009: Stored XSS via user's name on participants page when opening some options

by Michael Hawkins -

Insufficient escaping of participants' names in the participants page table resulted in a stored XSS risk when interacting with some features.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2024-33998
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81354
Tracker issue: MDL-81354 Stored XSS via user's name on participants page when opening some options

MSA-24-0008: Stored XSS risk when editing another user's equation in equation editor

by Michael Hawkins -

Additional sanitizing was required when opening the equation editor, to prevent a stored XSS risk when editing another user's equation.

Severity/Risk: Minor
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2024-33997
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81352
Tracker issue: MDL-81352 Stored XSS risk when editing another user's equation in equation editor

MSA-24-0007: Broken access control when setting calendar event type

by Michael Hawkins -

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

Severity/Risk: Serious
Versions affected: 4.0 to 4.3.3, 4.2 to 4.2.6, 4.1 to 4.1.9 and earlier unsupported versions
Versions fixed: 4.3.4, 4.2.7 and 4.1.10
Reported by: David Utón (m3n0sd0n4ld)
CVE identifier: CVE-2024-33996
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81247
Tracker issue: MDL-81247 Broken access control when setting calendar event type

MSA-24-0006: IDOR on dashboard comments block

by Michael Hawkins -

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (eg on their profile page).


Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: BA7MAN
CVE identifier: CVE-2024-25983
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300
Tracker issue: MDL-78300 IDOR on dashboard comments block