===================================================================== CERT-Renater Note d'Information No. 2022/VULN033 _____________________________________________________________________ DATE : 25/01/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.11.5, 3.10.9, 3.9.12. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=431099 https://moodle.org/mod/forum/discuss.php?d=431100 https://moodle.org/mod/forum/discuss.php?d=431102 https://moodle.org/mod/forum/discuss.php?d=431103 _____________________________________________________________________ MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts par Michael Hawkins,lundi 24 janvier 2022, 14:40 An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data. Severity/Risk: Serious Versions affected: 3.11 to 3.11.4 Versions fixed: 3.11.5 Reported by: Paul Holden CVE identifier: CVE-2022-0332 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72573 Tracker issue: MDL-72573 SQL injection risk in code fetching h5p activity user attempts _____________________________________________________________________ MSA-22-0002: calendar:manageentries capability allows CRUD access to all calendar events par Michael Hawkins,lundi 24 janvier 2022, 14:44 The calendar: manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events. Severity/Risk: Minor Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions Versions fixed: 3.11.5, 3.10.9 and 3.9.12 Reported by: oct0pus7 CVE identifier: CVE-2022-0333 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71239 Tracker issue: MDL-71239 calendar:manageentries capability allows CRUD access to all calendar events _____________________________________________________________________ MSA-22-0003: Capability gradereport/user:view not always respected when navigating to a user's course grade report par Michael Hawkins,lundi 24 janvier 2022, 14:54 Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability. Severity/Risk: Minor Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions Versions fixed: 3.11.5, 3.10.9 and 3.9.12 Reported by: Deds Castillo CVE identifier: CVE-2022-0334 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72772 Tracker issue: MDL-72772 Capability gradereport/user:view not always respected when navigating to a user's course grade report _____________________________________________________________________ MSA-22-0004: CSRF risk in badge alignment deletion par Michael Hawkins,lundi 24 janvier 2022, 14:56 The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk. Severity/Risk: Serious Versions affected: 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions Versions fixed: 3.11.5, 3.10.9 and 3.9.12 Reported by: Ostapbender CVE identifier: CVE-2022-0335 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72367 Tracker issue: MDL-72367 CSRF risk in badge alignment deletion ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================