by Michael Hawkins. A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.Severity/Risk:SeriousVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Vincent Schneider (cli-ish)CVE identifier:CVE-2023-5539Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451580&parent=1814887
by Michael Hawkins. A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.Severity/Risk:SeriousVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Vincent Schneider (cli-ish)CVE identifier:CVE-2023-5540Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451581&parent=1814888
by Michael Hawkins. The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Attilio FerrariWorkaround:Verify the contents and trustworthiness of grade spreadsheets before importing them.CVE identifier:CVE-2023-5541Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451582&parent=1814890
by Michael Hawkins. Students in "Only see own membership" groups could see other students in the group, which should be hidden.Severity/Risk:MinorVersions affected:4.2.2Versions fixed:4.2.3Reported by:EliotCVE identifier:CVE-2023-5542Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213Tracker issue:MDL-79213 Students could see other students in "Only see own membership" groups
More info:
https://moodle.org/mod/forum/discuss.php?d=451583&parent=1814891
by Michael Hawkins. When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10Versions fixed:4.2.3, 4.1.6 and 4.0.11Reported by:Lionel CaylatWorkaround:Manually create a fresh BigBlueButton activity instead of duplicating, until the patch has been applied.CVE
More info:
https://moodle.org/mod/forum/discuss.php?d=451584&parent=1814892
by Michael Hawkins. H5P metadata automatically populated the author with the users username, which could be sensitive information.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Josh MandersCVE identifier:CVE-2023-5545Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820Tracker
More info:
https://moodle.org/mod/forum/discuss.php?d=451586&parent=1814894
by Michael Hawkins. Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.Severity/Risk:SeriousVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:h1w0rldCVE identifier:CVE-2023-5544Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451585&parent=1814893
by Michael Hawkins. The course upload preview contained an XSS risk for users uploading unsafe data.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Paul HoldenWorkaround:Verify the contents and trustworthiness of course data before uploading it.CVE identifier:CVE-2023-5547Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451588&parent=1814896
by Michael Hawkins. ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10Versions fixed:4.2.3, 4.1.6 and 4.0.11Reported by:Paul HoldenCVE identifier:CVE-2023-5546Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78971Tracker issue:MDL-78971 Stored XSS in quiz grading report via user ID number
More info:
https://moodle.org/mod/forum/discuss.php?d=451587&parent=1814895
by Michael Hawkins. Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.Severity/Risk:MinorVersions affected:4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versionsVersions fixed:4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24Reported by:Yaniv Nizry (SonarSource)CVE identifier:CVE-2023-5548Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=451589&parent=1814897
