por Michael Hawkins. Insufficient capability checks resulted in course participant data being available to other participants in the course who would not otherwise have access to the information.Severity/Risk:MinorVersions affected:4.2 to 4.2.1Versions fixed:4.2.2Reported by:Paul HoldenCVE identifier:CVE-2023-40321Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78871Tracker issue:MDL-78871 Private course participant data available from
More info:
https://moodle.org/mod/forum/discuss.php?d=449645&parent=1807049
por Michael Hawkins. The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.Severity/Risk:SeriousVersions affected:4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.0.10, 3.11.16 and 3.9.23Reported by:Julien BoulenCVE identifier:CVE-2022-39369Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78620Tracker issue:MDL-78620 phpCAS
More info:
https://moodle.org/mod/forum/discuss.php?d=449646&parent=1807050
por Michael Hawkins. Insufficient capability checks made it possible to fetch other users message processor preferences data.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Paul HoldenCVE identifier:CVE-2023-40322Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78792Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449647&parent=1807051
por Michael Hawkins. The JQuery UI library included with Moodle has been upgraded to version 1.13.2, which includes fixes for security issues.Severity/Risk:MinorVersions affected:3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:3.11.16 and 3.9.23Reported by:Wolf VentirCVE identifier:CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 and CVE-2021-41182Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74544Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449648&parent=1807053
por Michael Hawkins. The admin view all policies page URL required additional sanitizing to prevent an open redirect risk.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Darko MileticCVE identifier:CVE-2023-40323Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78763Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449649&parent=1807054
por Michael Hawkins. Insufficient limitations made it possible for students to bypass sequential navigation during a quiz attempt.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Abhijit A MCVE identifier:CVE-2023-40325Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71728Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=449651&parent=1807056
por Michael Hawkins. Insufficient capability checks resulted in competency framework tools being available to users without the relevant capability.Severity/Risk:MinorVersions affected:4.2 to 4.2.1, 4.1 to 4.1.4, 4.0 to 4.0.9, 3.11 to 3.11.15, 3.9 to 3.9.22 and earlier unsupported versionsVersions fixed:4.2.2, 4.1.5, 4.0.10, 3.11.16 and 3.9.23Reported by:Michael HawkinsCVE identifier:CVE-2023-40324Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=449650&parent=1807055
por Michael Hawkins. A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.Severity/Risk:SeriousVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Vincent Schneider (cli-ish)CVE identifier:CVE-2023-5540Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451581&parent=1814888
por Michael Hawkins. A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.Severity/Risk:SeriousVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Vincent Schneider (cli-ish)CVE identifier:CVE-2023-5539Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451580&parent=1814887
por Michael Hawkins. The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Attilio FerrariWorkaround:Verify the contents and trustworthiness of grade spreadsheets before importing them.CVE identifier:CVE-2023-5541Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451582&parent=1814890
