by Michael Hawkins. Permission overrides on individual blocks in the system dashboard did not cascade to user dashboards.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Bas HarkinkCVE identifier:CVE-2023-40318Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78340Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449642&parent=1807044
by Michael Hawkins. An SQL injection risk was identified in the grader report sorting.(Note: By default the capability to access this page is only available to teachers, non-editing teachers and managers.)Severity/Risk:SeriousVersions affected:4.2 to 4.2.1Versions fixed:4.2.2Reported by:Paul HoldenWorkaround:Remove access to the gradereport/grader:view capability until the patch has been applied.CVE identifier:CVE-2023-40319Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=449643&parent=1807045
by Michael Hawkins. It was possible to escalate stored self-XSS to stored XSS where users login via OAuth 2.Severity/Risk:SeriousVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Yaniv Nizry (SonarSource)CVE identifier:CVE-2023-40320Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78685Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449644&parent=1807048
by Michael Hawkins. Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.Severity/Risk:MinorVersions affected:4.2 to 4.2.1Versions fixed:4.2.2Reported by:Paul HoldenCVE identifier:CVE-2023-40321Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871Tracker issue:MDL-78871 Private course participant data available from
More info:
https://moodle.org/mod/forum/discuss.php?d=449645&parent=1807049
by Michael Hawkins. The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.Severity/Risk:SeriousVersions affected:4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.0.10, 3.11.16 and 3.9.23Reported by:Julien BoulenCVE identifier:CVE-2022-39369Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620Tracker issue:MDL-78620 phpCAS
More info:
https://moodle.org/mod/forum/discuss.php?d=449646&parent=1807050
by Michael Hawkins. The JQuery UI library included with Moodle has been upgraded to version 1.13.2, which includes fixes for security issues.Severity/Risk:MinorVersions affected:3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:3.11.16 and 3.9.23Reported by:Wolf VentirCVE identifier:CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 and CVE-2021-41182Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74544Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449648&parent=1807053
by Michael Hawkins. Insufficient capability checks made it possible to fetch other users message processor preferences data.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Paul HoldenCVE identifier:CVE-2023-40322Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449647&parent=1807051
by Michael Hawkins. Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Michael HawkinsCVE identifier:CVE-2023-40324Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=449650&parent=1807055
by Michael Hawkins. The admin view all policies page URL required additional sanitizing to prevent an open redirect risk.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Darko MileticCVE identifier:CVE-2023-40323Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78763Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449649&parent=1807054
by Michael Hawkins. Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Abhijit A MCVE identifier:CVE-2023-40325Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449651&parent=1807056
