=====================================================================

                                   CERT-Renater

                       Note d'Information No. 2022/VULN294

_____________________________________________________________________

DATE                : 30/08/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.0.3,
                                   3.11.9, 3.9.16.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=437685
https://moodle.org/mod/forum/discuss.php?d=437684
_____________________________________________________________________


MSA-22-0022: CSRF risk in enabling/disabling installed H5P libraries
by Michael Hawkins - Monday, August 29, 2022, 6:56 PM

Enabling and disabling installed H5P libraries did not include the
necessary token to prevent a CSRF risk.


Severity/Risk: 	Minor
Versions affected:      4.0 to 4.0.2 and 3.11 to 3.11.8
Versions fixed:         4.0.3 and 3.11.9
Reported by:            Paul Holden
CVE identifier:         CVE-2022-2986
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75326
Tracker issue: 	MDL-75326 CSRF risk in enabling/disabling installed
                 H5P libraries

_____________________________________________________________________


MSA-22-0021: Upgrade Mustache to latest version (upstream)
by Michael Hawkins - Monday, August 29, 2022, 6:56 PM
Number of replies: 0

The Mustache template library included with Moodle has been upgraded
to the latest version, which includes a fix for a serious security
issue.


Severity/Risk:          Serious
Versions affected:      4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 
                    and earlier unsupported versions
Versions fixed:         4.0.3, 3.11.9 and 3.9.16
Reported by:            Lars Bonczek
CVE identifier:         CVE-2022-0323
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75388
Tracker issue: 	MDL-75388 Upgrade Mustache to latest version (upstream)

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================