Security announcements

MSA-21-0036: Quiz unreleased grade disclosure via web service

Michael Hawkins發表於

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Nadav Kavalerchik
CVE identifier: CVE-2021-40695
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71797
Tracker issue: MDL-71797 Quiz unreleased grade disclosure via web service
討論這一議題  (至今有 0 篇回應)

MSA-21-0035: Arbitrary file read by site administrators via LaTeX preamble

Michael Hawkins發表於

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: raisin_bugbounty
Workaround: Hard-code the value of the LaTeX preamble into $CFG->forced_plugin_settings['filter_tex']['latexpreamble'] within the site's config.php file.
CVE identifier: CVE-2021-40694
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71240
Tracker issue: MDL-71240 Arbitrary file read by site administrators via LaTeX preamble
討論這一議題  (至今有 0 篇回應)

MSA-21-0034: Authentication bypass risk when using external database authentication

Michael Hawkins發表於

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Amit Eyal
CVE identifier: CVE-2021-40693
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71160
Tracker issue: MDL-71160 Authentication bypass risk when using external database authentication
討論這一議題  (至今有 0 篇回應)

MSA-21-0033: Course participants download did not restrict which users could be exported

Michael Hawkins發表於

Insufficient capability checks made it possible for teachers to download users outside of their courses.


Severity/Risk: Minor
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Paul Holden
CVE identifier: CVE-2021-40692
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71726
Tracker issue: MDL-71726 Course participants download did not restrict which users could be exported
討論這一議題  (至今有 0 篇回應)

MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled

Michael Hawkins發表於

A session hijack risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed: 3.11.3, 3.10.7 and 3.9.10
Reported by: Robin Peraglie and Johannes Moritz
CVE identifier: CVE-2021-40691
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71976
Tracker issue: MDL-71976 Session Hijack risk when Shibboleth authentication is enabled
討論這一議題  (至今有 0 篇回應)

MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email

Michael Hawkins發表於

In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: i_am_nobody
CVE identifier: CVE-2021-36403
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71919
Tracker issue: MDL-71919 Messaging email notifications containing HTML may hide the final line of the email
討論這一議題  (至今有 0 篇回應)

MSA-21-0030: Insufficient escaping of users' names in account confirmation email

Michael Hawkins發表於

Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.

Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder {$a->firstname}.

Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Babar Khan Akhunzada
CVE identifier: CVE-2021-36402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58393
Tracker issue: MDL-58393 Insufficient escaping of users' names in account confirmation email
討論這一議題  (至今有 0 篇回應)

MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number

Michael Hawkins發表於

ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Paul Holden
CVE identifier: CVE-2021-36401
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71981
Tracker issue: MDL-71981 Stored XSS when exporting to data formats supporting HTML via user ID number
討論這一議題  (至今有 0 篇回應)

MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions

Michael Hawkins發表於

Insufficient capability checks made it possible to remove other users' calendar URL subscriptions.


Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Floerer
CVE identifier: CVE-2021-36400
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71978
Tracker issue: MDL-71978 IDOR allows removal of other users' calendar URL subscriptions
討論這一議題  (至今有 0 篇回應)

MSA-21-0027: Stored XSS in quiz override screens via user ID number

Michael Hawkins發表於

ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.


Severity/Risk: Minor
Versions affected: 3.11
Versions fixed: 3.11.1
Reported by: Paul Holden
CVE identifier: CVE-2021-36399
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71898
Tracker issue: MDL-71898 Stored XSS in quiz override screens via user ID number
討論這一議題  (至今有 0 篇回應)