==================================================================== CERT-Renater Note d'Information No. 2021/VULN277 _____________________________________________________________________ DATE : 18/05/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running Moodle versions prior to 3.11, 3.10.4, 3.9.7, 3.8.9, 3.5.18. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=422314 https://moodle.org/mod/forum/discuss.php?d=422315 https://moodle.org/mod/forum/discuss.php?d=422305 https://moodle.org/mod/forum/discuss.php?d=422307 https://moodle.org/mod/forum/discuss.php?d=422308 https://moodle.org/mod/forum/discuss.php?d=422309 https://moodle.org/mod/forum/discuss.php?d=422310 https://moodle.org/mod/forum/discuss.php?d=422313 _____________________________________________________________________ MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint par Michael Hawkins, lundi 17 mai 2021, 15:40 The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Severity/Risk: Minor Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9 Reported by: Jordan Tomkinson CVE identifier: CVE-2021-32478 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622 Tracker issue: MDL-70622 Reflected XSS and open redirect in LTI authorization endpoint _____________________________________________________________________ MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream) par Michael Hawkins, lundi 17 mai 2021, 15:41 The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9 Reported by: Sara Arjona CVE identifier: N/A Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71408 Tracker issue: MDL-71408 Upgrade H5P PHP library to latest minor version (upstream) _____________________________________________________________________ MSA-21-0012: Forum CSV export could result in posts from all courses being exported par Michael Hawkins, lundi 17 mai 2021, 15:33 Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9 Reported by: Daniel Konrad Workaround: Remove the Export Forum (mod/forum:exportforum) capability from non-admin roles/users until the patch has been applied. CVE identifier: CVE-2021-32472 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359 Tracker issue: MDL-71359 Forum CSV export could result in posts from all courses being exported _____________________________________________________________________ MSA-21-0013: Quiz unreleased grade disclosure via web service par Michael Hawkins, lundi 17 mai 2021, 15:34 It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Nadav Kavalerchik CVE identifier: CVE-2021-32473 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70720 Tracker issue: MDL-70720 Quiz unreleased grade disclosure via web service _____________________________________________________________________ MSA-21-0014: Blind SQL injection possible via MNet authentication par Michael Hawkins, lundi 17 mai 2021, 15:34 An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Rekter0 CVE identifier: CVE-2021-32474 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70804 Tracker issue: MDL-70804 Blind SQL injection possible via MNet authentication _____________________________________________________________________ MSA-21-0015: Stored XSS in quiz grading report via user ID number par Michael Hawkins, lundi 17 mai 2021, 15:35 ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Paul Holden CVE identifier: CVE-2021-32475 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71130 Tracker issue: MDL-71130 Stored XSS in quiz grading report via user ID number _____________________________________________________________________ MSA-21-0016: Files API should mitigate denial-of-service risk when adding to the draft file area par Michael Hawkins, lundi 17 mai 2021, 15:36 A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Ben Samtleben CVE identifier: CVE-2021-32476 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69028 Tracker issue: MDL-69028 Files API should mitigate denial-of-service risk when adding to the draft file area _____________________________________________________________________ MSA-21-0017: Last app access time is visible to non-site-admins on user profile page par Michael Hawkins, lundi 17 mai 2021, 15:40 The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Severity/Risk: Minor Versions affected: 3.10 to 3.10.3 Versions fixed: 3.11 and 3.10.4 Reported by: Strifel CVE identifier: CVE-2021-32477 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71513 Tracker issue: MDL-71513 Last app access time is visible to non-site-admins on user profile page ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================