==================================================================== CERT-Renater Note d'Information No. 2021/VULN364 _____________________________________________________________________ DATE : 20/07/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.11.1, 3.10.5, 3.9.8. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=424797 https://moodle.org/mod/forum/discuss.php?d=424798 https://moodle.org/mod/forum/discuss.php?d=424799 https://moodle.org/mod/forum/discuss.php?d=424801 https://moodle.org/mod/forum/discuss.php?d=424802 https://moodle.org/mod/forum/discuss.php?d=424803 https://moodle.org/mod/forum/discuss.php?d=424804 https://moodle.org/mod/forum/discuss.php?d=424805 https://moodle.org/mod/forum/discuss.php?d=424806 https://moodle.org/mod/forum/discuss.php?d=424807 https://moodle.org/mod/forum/discuss.php?d=424808 https://moodle.org/mod/forum/discuss.php?d=424809 _____________________________________________________________________ MSA-21-0020: SQL injection risk in code fetching enrolled courses An SQL injection risk was identified in the library fetching a user's enrolled courses Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: ldesignmedia CVE identifier: CVE-2021-36392 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71241 Tracker issue: MDL-71241 SQL injection risk in code fetching enrolled courses _____________________________________________________________________ MSA-21-0021: SQL injection risk in code fetching recent courses An SQL injection risk was identified in the library fetching a user's recent courses Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: 0xkasper CVE identifier: CVE-2021-36393 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71242 Tracker issue: MDL-71242 SQL injection risk in code fetching recent courses _____________________________________________________________________ MSA-21-0022: Remote code execution risk when Shibboleth authentication is enabled A remote code execution risk was identified in the Shibboleth authentication plugin. ( Note: Shibboleth authentication is disabled by default in Moodle.) Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Robin Peraglie and Johannes Moritz CVE identifier: CVE-2021-36394 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71957 Tracker issue: MDL-71957 Remote code execution risk when Shibboleth authentication is enabled - -------------------------------------------------------------------------------- MSA-21-0023: Recursion denial of service possible due to recursive cURL in file repository The file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: 0xkasper CVE identifier: CVE-2021-36395 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71922 Tracker issue: MDL-71922 Recursion denial of service possible due to recursive cURL in file repository - -------------------------------------------------------------------------------- MSA-21-0024: Blind SSRF possible against cURL blocked hosts via redirect Insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. ( Note: The request response was still blocked and not available to the user.) Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Rekter0 and Holme CVE identifier: CVE-2021-36396 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71916 Tracker issue: MDL-71916 Blind SSRF possible against cURL blocked hosts via redirect - -------------------------------------------------------------------------------- MSA-21-0025: Messaging web service allows deletion of other users' messages Insufficient capability checks meant message deletions were not limited to the current user. Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: 0xkasper CVE identifier: CVE-2021-36397 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71917 Tracker issue: MDL-71917 Messaging web service allows deletion of other users' messages - -------------------------------------------------------------------------------- MSA-21-0026: Stored XSS in the web service token list via user ID number ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 3.11 Versions fixed: 3.11.1 Reported by: Marina Glancy CVE identifier: CVE-2021-36398 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71760 Tracker issue: MDL-71760 Stored XSS in the web service token list via user ID number - -------------------------------------------------------------------------------- MSA-21-0027: Stored XSS in quiz override screens via user ID number ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 3.11 Versions fixed: 3.11.1 Reported by: Paul Holden CVE identifier: CVE-2021-36399 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71898 Tracker issue: MDL-71898 Stored XSS in quiz override screens via user ID number - -------------------------------------------------------------------------------- MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions Insufficient capability checks made it possible to remove other users' calendar URL subscriptions. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Floerer CVE identifier: CVE-2021-36400 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71978 Tracker issue: MDL-71978 IDOR allows removal of other users' calendar URL subscriptions - -------------------------------------------------------------------------------- MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Paul Holden CVE identifier: CVE-2021-36401 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71981 Tracker issue: MDL-71981 Stored XSS when exporting to data formats supporting HTML via user ID number - -------------------------------------------------------------------------------- MSA-21-0030: Insufficient escaping of users' names in account confirmation email Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Babar Khan Akhunzada CVE identifier: CVE-2021-36402 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58393 Tracker issue: MDL-58393 Insufficient escaping of users' names in account confirmation email - -------------------------------------------------------------------------------- MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: i_am_nobody CVE identifier: CVE-2021-36403 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71919 Tracker issue: MDL-71919 Messaging email notifications containing HTML may hide the final line of the email ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================