===================================================================== CERT-Renater Note d'Information No. 2021/VULN608 _____________________________________________________________________ DATE : 16/11/2021 HARDWARE PLATFOR, M(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.11.4, 3.10.8, 3.9.11. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=429095&parent=1726798 https://moodle.org/mod/forum/discuss.php?d=429096&parent=1726799 https://moodle.org/mod/forum/discuss.php?d=429097&parent=1726802 https://moodle.org/mod/forum/discuss.php?d=429099&parent=1726805 https://moodle.org/mod/forum/discuss.php?d=429100&parent=1726807 _____________________________________________________________________ MSA-21-0038: Remote code execution risk when restoring malformed backup file A remote code execution risk when restoring backup files was identified. Severity/Risk: Serious Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: Paul Holden CVE identifier: CVE-2021-3943 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70823 Tracker issue: MDL-70823 Remote code execution risk when restoring malformed backup file - - -------------------------------------------------------------------------------- MSA-21-0039: Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream) The upstream Moodle machine learning backend and its reference in /lib/ mlbackend/python/classes/processor.php were upgraded, which includes some security updates. Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade. Severity/Risk: Minor Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: Sara Arjona CVE identifier: N/A Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70887 Tracker issue: MDL-70887 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream) - - -------------------------------------------------------------------------------- MSA-21-0040: Reflected XSS in filetype admin tool A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: starlabs_sg CVE identifier: CVE-2021-43558 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72571 Tracker issue: MDL-72571 Reflected XSS in filetype admin tool - - -------------------------------------------------------------------------------- MSA-21-0041: CSRF risk on delete related badge feature The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. Severity/Risk: Serious Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: ostapbender CVE identifier: CVE-2021-43559 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72370 Tracker issue: MDL-72370 CSRF risk on delete related badge feature - - -------------------------------------------------------------------------------- MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events Insufficient capability checks made it possible to fetch other users' calendar action events. Severity/Risk: Minor Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: 0xkasper CVE identifier: CVE-2021-43560 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918 Tracker issue: MDL-71918 IDOR in a calendar web service allows fetching of other users' action events ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================