by Michael Hawkins. Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.Severity/Risk:MinorVersions affected:4.2 to 4.2.1Versions fixed:4.2.2Reported by:Paul HoldenCVE identifier:CVE-2023-40321Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871Tracker issue:MDL-78871 Private course participant data available from
More info:
https://moodle.org/mod/forum/discuss.php?d=449645&parent=1807049
by Michael Hawkins. The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.Severity/Risk:SeriousVersions affected:4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.0.10, 3.11.16 and 3.9.23Reported by:Julien BoulenCVE identifier:CVE-2022-39369Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620Tracker issue:MDL-78620 phpCAS
More info:
https://moodle.org/mod/forum/discuss.php?d=449646&parent=1807050
by Michael Hawkins. The JQuery UI library included with Moodle has been upgraded to version 1.13.2, which includes fixes for security issues.Severity/Risk:MinorVersions affected:3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:3.11.16 and 3.9.23Reported by:Wolf VentirCVE identifier:CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 and CVE-2021-41182Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74544Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449648&parent=1807053
by Michael Hawkins. Insufficient capability checks made it possible to fetch other users message processor preferences data.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Paul HoldenCVE identifier:CVE-2023-40322Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449647&parent=1807051
by Michael Hawkins. Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Michael HawkinsCVE identifier:CVE-2023-40324Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=449650&parent=1807055
by Michael Hawkins. The admin view all policies page URL required additional sanitizing to prevent an open redirect risk.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Darko MileticCVE identifier:CVE-2023-40323Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78763Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449649&parent=1807054
by Michael Hawkins. Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Abhijit A MCVE identifier:CVE-2023-40325Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449651&parent=1807056
As organizations continue to adopt containers and Kubernetes for their applications, the need to secure these containers becomes increasingly important. Many applications are built with third-party sourced components from public image registries. Attackers are privy to the growing use of these third-party image registries, and often target them with malware, thus requiring special attention. Additionally, … ContinuedThe post Detecting Secrets in Container Images appeared first on VMware
More info:
https://blogs.vmware.com/security/2023/08/detecting-secrets-in-container-images.html?utm_source=rss&utm_medium=rss&utm_campaign=detecting-secrets-in-container-images
Security Advisory Description libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code.
More info:
https://my.f5.com/manage/s/article/K30444545?utm_source=f5support&utm_medium=RSS
Security Advisory Description In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesnt match a dynamic url- ...
More info:
https://my.f5.com/manage/s/article/K33548065?utm_source=f5support&utm_medium=RSS
