Day: 25 enero, 2022

Publicado el

MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts

by Michael Hawkins. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.Severity/Risk:SeriousVersions affected:3.11 to 3.11.4Versions fixed:3.11.5Reported by:Paul HoldenCVE identifier:CVE-2022-0332Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72573Tracker issue:MDL-72573 SQL injection risk in code fetching h5p activity user attempts More info: https://moodle.org/mod/forum/discuss.php?d=431099&parent=1734813
Publicado el

MSA-22-0002: calendar:manageentries capability allows CRUD access to all calendar events

by Michael Hawkins. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.Severity/Risk:MinorVersions affected:3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versionsVersions fixed:3.11.5, 3.10.9 and 3.9.12Reported by:oct0pus7CVE identifier:CVE-2022-0333Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71239Tracker More info: https://moodle.org/mod/forum/discuss.php?d=431100&parent=1734814
Publicado el

MSA-22-0003: Capability gradereport/user:view not always respected when navigating to a users course grade report

by Michael Hawkins. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.Severity/Risk:MinorVersions affected:3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versionsVersions fixed:3.11.5, 3.10.9 and 3.9.12Reported by:Deds CastilloCVE identifier:CVE-2022-0334Changes More info: https://moodle.org/mod/forum/discuss.php?d=431102&parent=1734816
Publicado el

MSA-22-0004: CSRF risk in badge alignment deletion

by Michael Hawkins. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.Severity/Risk:SeriousVersions affected:3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versionsVersions fixed:3.11.5, 3.10.9 and 3.9.12Reported by:OstapbenderCVE identifier:CVE-2022-0335Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72367Tracker issue:MDL-72367 CSRF risk in badge More info: https://moodle.org/mod/forum/discuss.php?d=431103&parent=1734817
Acceso Administrador
Translate »