====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN042
_____________________________________________________________________

DATE                : 25/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Moodle versions prior to 3.10.1,
                                    3.9.4, 3.8.7, 3.5.16.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=417166
https://moodle.org/mod/forum/discuss.php?d=417167
https://moodle.org/mod/forum/discuss.php?d=417168
https://moodle.org/mod/forum/discuss.php?d=417170
https://moodle.org/mod/forum/discuss.php?d=417171
_____________________________________________________________________


Michael Hawkins
MSA-21-0001: Search input template insufficiently escaped search queries
par Michael Hawkins, lundi 25 janvier 2021, 15:21


Some search inputs were vulnerable to reflected XSS due to insufficient
escaping of search queries.


Severity/Risk:          Serious
Versions affected: 	3.10
Versions fixed: 	3.10.1
Reported by:            kstpt
CVE identifier: 	CVE-2021-20183
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571
Tracker issue:          MDL-70571 Search input template insufficiently
                         escaped search queries

_____________________________________________________________________


MSA-21-0002: Grade information disclosure in grade's external fetch
functions
Michael Hawkins, lundi 25 janvier 2021, 15:26


Insufficient capability checks in some grade related web services meant
students were able to view other students' grades.


Severity/Risk:          Minor
Versions affected: 	3.10, 3.9 to 3.9.3, 3.8 to 3.8.6
Versions fixed: 	3.10.1, 3.9.4 and 3.8.7
Reported by:            Juan Segarra Montesinos
CVE identifier: 	CVE-2021-20184
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69797
Tracker issue:          MDL-69797 Grade information disclosure in
                         grade's external fetch functions

_____________________________________________________________________


MSA-21-0003: Client side denial of service via personal message
Michael Hawkins, lundi 25 janvier 2021, 15:28


Messaging did not impose a character limit when sending messages, which
could result in client-side (browser) denial of service for users
receiving very large messages.


Severity/Risk:          Minor
Versions affected: 	3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15
                         and earlier unsupported versions
Versions fixed: 	3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by:            Rik Gouw
CVE identifier: 	CVE-2021-20185
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67782
Tracker issue:          MDL-67782 Client side denial of service via
                         personal message

_____________________________________________________________________


MSA-21-0004: Stored XSS possible via TeX notation filter
par Michael Hawkins, lundi 25 janvier 2021, 15:29


If the TeX notation filter was enabled, additional sanitizing of TeX
content was required to prevent the risk of stored XSS.


Severity/Risk:          Serious
Versions affected: 	3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15
                         and earlier unsupported versions
Versions fixed: 	3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by:            Ata Hakcil
Workaround:             Disable the TeX notation filter until the patch
                         has been applied. (Note that this filter is
                         disabled by default.)
CVE identifier: 	CVE-2021-20186
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69911
Tracker issue:          MDL-69911 Stored XSS possible via TeX notation
                         filter

_____________________________________________________________________


MSA-21-0005: Arbitrary PHP code execution by site admins via Shibboleth
configuration
par Michael Hawkins, lundi 25 janvier 2021, 15:31


It was possible for site administrators to execute arbitrary PHP scripts
via a PHP include used during Shibboleth authentication.


Severity/Risk:          Serious
Versions affected: 	3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15
                          and earlier unsupported versions
Versions fixed: 	3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by:            Frédéric Massart
Workaround:             Harcode preventexecpath to true in config.php,
                         which prevents site administrators setting some
                         executable paths via the UI.
                      See
https://docs.moodle.org/310/en/report/security/report_security_check_preventexecpath
for more details.
CVE identifier: 	CVE-2021-20187
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68486
Tracker issue:          MDL-68486 Arbitrary PHP code execution by site
                         admins via Shibboleth configuration


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================