===================================================================== CERT-Renater Note d'Information No. 2023/VULN021 _____________________________________________________________________ DATE : 24/01/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.1.1, 4.0.6, 3.11.12, 3.9.19. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=443272 https://moodle.org/mod/forum/discuss.php?d=443273 https://moodle.org/mod/forum/discuss.php?d=443274 _____________________________________________________________________ MSA-23-0001: Reflected XSS risk in some returnurl parameters par Michael Hawkins, mardi 24 janvier 2023, 10:48 Some returnurl parameters required additional sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19 Reported by: DegrangeM CVE identifier: Pending Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76810 Tracker issue: MDL-76810 Reflected XSS risk in some returnurl parameters _____________________________________________________________________ MSA-23-0002: Reflected XSS risk in blog search par Michael Hawkins, mardi 24 janvier 2023, 10:49 Blog search required additional sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 4.1 and 4.0 to 4.0.5 Versions fixed: 4.1.1, 4.0.6 Reported by: Unknown (name not provided) CVE identifier: Pending Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76861 Tracker issue: MDL-76861 Reflected XSS risk in blog search _____________________________________________________________________ MSA-23-0003: Possible to set the preferred "start page" of other users par Michael Hawkins, mardi 24 janvier 2023, 10:50 Insufficient limitations on the "start page" preference made it possible to set that preference for another user. (Note: This was still limited to the pre-defined start page options) Severity/Risk: Minor Versions affected: 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18 and earlier unsupported versions Versions fixed: 4.1.1, 4.0.6, 3.11.12 and 3.9.19 Reported by: Paul Holden CVE identifier: Pending Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862 Tracker issue: MDL-76862 Possible to set the preferred "start page" of other users ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================