==================================================================== CERT-Renater Note d'Information No. 2021/VULN161 _____________________________________________________________________ DATE : 15/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.10.2, 3.9.5, 3.8.8, 3.5.17. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=419650 https://moodle.org/mod/forum/discuss.php?d=419651 https://moodle.org/mod/forum/discuss.php?d=419652 https://moodle.org/mod/forum/discuss.php?d=419653 https://moodle.org/mod/forum/discuss.php?d=419654 _____________________________________________________________________ MSA-21-0006: Stored XSS via ID number user profile field par Michael Hawkins, lundi 15 mars 2021, 14:28 The ID number user profile field required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Serious Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Magyar-Hunor Tamas Workaround: Disable the ID number field by unchecking it in Site admin > Users > User policies > Show user identity, until the patch has been applied. CVE identifier: CVE-2021-20279 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65552 Tracker issue: MDL-65552 Stored XSS via ID number user profile field _____________________________________________________________________ MSA-21-0007: Stored XSS and blind SSRF possible via feedback answer text par Michael Hawkins, lundi 15 mars 2021, 14:31 Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks. Severity/Risk: Serious Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Holme and Rekter0 CVE identifier: CVE-2021-20280 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70767 Tracker issue: MDL-70767 Stored XSS and blind SSRF possible via feedback answer text _____________________________________________________________________ MSA-21-0008: User full name disclosure within online users block par Michael Hawkins, lundi 15 mars 2021, 15:21 It was possible for some users without permission to view other users' full names to do so via the online users block. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Ankit Agarwal Workaround: Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied. CVE identifier: CVE-2021-20281 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293 Tracker issue: MDL-59293 User full name disclosure within online users block _____________________________________________________________________ MSA-21-0009: Bypass email verification secret when confirming account registration par Michael Hawkins, lundi 15 mars 2021, 15:23 When creating a user account, it was possible to verify the account without having access to the verification email link/secret. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Bandjes CVE identifier: CVE-2021-20282 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70668 Tracker issue: MDL-70668 Bypass email verification secret when confirming account registration _____________________________________________________________________ MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course par Michael Hawkins, lundi 15 mars 2021, 15:41 The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course. Severity/Risk: Minor Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17 Reported by: Paul Holden CVE identifier: CVE-2021-20283 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822 Tracker issue: MDL-70822 Fetching a user's enrolled courses via web services did not check profile access in each course ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================