=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN187

_____________________________________________________________________

DATE                : 04/05/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.1.3,
                                 4.0.8, 3.11.14, 3.9.21.
=====================================================================
https://moodle.org/mod/forum/discuss.php?d=446286
https://moodle.org/mod/forum/discuss.php?d=445070
https://moodle.org/mod/forum/view.php?id=7128
_____________________________________________________________________


MSA-23-0015: Minor SQL injection risk in external Wiki method for
listing pages
par Michael Hawkins, lundi 1 mai 2023, 15:43

A limited SQL injection risk was identified in functionality used
by the Wiki activity when listing pages.


Severity/Risk:         Minor
Versions affected:     4.1 to 4.1.2, 4.0 to 4.0.7, 3.11 to 3.11.13,
                         3.9 to 3.9.20 and earlier unsupported versions
Versions fixed:        4.1.3, 4.0.8, 3.11.14 and 3.9.21
Reported by:           Paul Holden
CVE identifier:        CVE-2023-30944
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77187
Tracker issue: 	MDL-77187 Minor SQL injection risk in external Wiki
                  method for listing pages
_____________________________________________________________________


MSA-23-0014: TinyMCE loaders susceptible to Arbitrary Folder Creation
par Michael Hawkins, lundi 1 mai 2023, 15:42

Insufficient sanitizing of loaders used by TinyMCE resulted in an
arbitrary folder creation risk.


Severity/Risk:          Serious
Versions affected: 	4.1 to 4.1.2
Versions fixed: 	4.1.3
Reported by:            Yaniv Nizry (SonarSource)
CVE identifier:         CVE-2023-30943
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718
Tracker issue: 	MDL-77718 TinyMCE loaders susceptible to Arbitrary 
Folder Creation


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================