Day: 5 julio, 2022

di Michael Hawkins. ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk.Severity/Risk:MinorVersions affected:4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versionsVersions fixed:4.0.1, 3.11.7, 3.10.11 and 3.9.14Reported by:Paul HoldenCVE identifier:CVE-2022-30596Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74204Tracker issue:MDL-74204 More info: https://moodle.org/mod/forum/discuss.php?d=434578&parent=1748722

di Michael Hawkins. The description user field was not hidden when being set as a hidden user field.Severity/Risk:MinorVersions affected:4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versionsVersions fixed:4.0.1, 3.11.7, 3.10.11 and 3.9.14Reported by:Bo FoghtCVE identifier:CVE-2022-30597Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74318Tracker issue:MDL-74318 Description field hidden by user policies More info: https://moodle.org/mod/forum/discuss.php?d=434579&parent=1748723

di Michael Hawkins. Global search results could include author information on some activities where a user may not otherwise have access to it.Severity/Risk:MinorVersions affected:4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versionsVersions fixed:4.0.1, 3.11.7, 3.10.11 and 3.9.14Reported by:CatalinaCVE identifier:CVE-2022-30598Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71623Tracker issue:MDL-71623 Global More info: https://moodle.org/mod/forum/discuss.php?d=434580&parent=1748724

di Michael Hawkins. An SQL injection risk was identified in Badges code relating to configuring criteria.NOTE: in Moodle 4.0, 3.11.6, 3.10.10 and 3.9.13, access to this vulnerability was available to site administrators only. In earlier versions, access to the relevant capability was also limited to teachers and managers by default.Severity/Risk:SeriousVersions affected:4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versionsVersions fixed:4.0.1, 3.11.7, 3.10.11 and More info: https://moodle.org/mod/forum/discuss.php?d=434581&parent=1748725

di Michael Hawkins. An issue in the logic used to count failed login attempts could result in the account lockout threshold being bypassed.Severity/Risk:SeriousVersions affected:4.0, 3.11 to 3.11.6, 3.10 to 3.10.10, 3.9 to 3.9.13 and earlier unsupported versionsVersions fixed:4.0.1, 3.11.7, 3.10.11 and 3.9.14Reported by:Shamim RezaieCVE identifier:CVE-2022-30600Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-73736Tracker issue:MDL-73736 More info: https://moodle.org/mod/forum/discuss.php?d=434582&parent=1748726

Apache HTTPD vulnerability CVE-2022-29404 Security Advisory Security Advisory Description In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) ... More info: https://support.f5.com/csp/article/K29735525?utm_source=f5support&utm_medium=RSS

Apache HTTPD vulnerability CVE-2022-30556 Security Advisory Security Advisory Description Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point ... More info: https://support.f5.com/csp/article/K69309752?utm_source=f5support&utm_medium=RSS