by Michael Hawkins. Content on the groups page required additional sanitizing to prevent an XSS risk.Severity/Risk:MinorVersions affected:4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14Versions fixed:4.2.1, 4.1.4, 4.0.9 and 3.11.15Reported by:Petr SkodaCVE identifier:CVE-2023-35131Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76683Tracker issue:MDL-76683 XSS risk on groups page
More info:
https://moodle.org/mod/forum/discuss.php?d=447829&parent=1799653
by Michael Hawkins. A limited SQL injection risk was identified on the Mnet SSO access control page.Severity/Risk:MinorVersions affected:4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versionsVersions fixed:4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22Reported by:Paul HoldenCVE identifier:CVE-2023-35132Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193Tracker issue:MDL-77193 Minor SQL injection risk on
More info:
https://moodle.org/mod/forum/discuss.php?d=447830&parent=1799654
by Michael Hawkins. An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk.Severity/Risk:SeriousVersions affected:4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versionsVersions fixed:4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22Reported by:Mateo HanžekCVE identifier:CVE-2023-35133Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=447831&parent=1799656
