=================================================================== CERT-Renater Note d'Information No. 2023/VULN227 _____________________________________________________________________ DATE : 21/06/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.2.1, 4.1.4, 4.0.9, 3.11.15, 3.9.22. ====================================================================https://moodle.org/mod/forum/discuss.php?dD7830 https://moodle.org/mod/forum/discuss.php?dD7831 https://moodle.org/mod/forum/discuss.php?dD7829 _____________________________________________________________________ MSA-23-0017: Minor SQL injection risk on Mnet SSO access control page par Michael Hawkins, lundi 19 juin 2023, 13:51 Nombre de réponses : 0 A limited SQL injection risk was identified on the Mnet SSO access control page. Severity/Risk: Minor Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22 Reported by: Paul Holden CVE identifier: CVE-2023-35132 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77193 Tracker issue: MDL-77193 Minor SQL injection risk on Mnet SSO access control page _____________________________________________________________________ MSA-23-0018: SSRF risk due to insufficient check on the cURL blocked hosts list par Michael Hawkins, lundi 19 juin 2023, 13:53 An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. Severity/Risk: Serious Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions Versions fixed: 4.2.1, 4.1.4, 4.0.9, 3.11.15 and 3.9.22 Reported by: Mateo Hanžek CVE identifier: CVE-2023-35133 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215 Tracker issue: MDL-78215 SSRF risk due to insufficient check on the cURL blocked hosts list _____________________________________________________________________ MSA-23-0016: XSS risk on groups page par Michael Hawkins, lundi 19 juin 2023, 13:49 Nombre de réponses : 0 Content on the groups page required additional sanitizing to prevent an XSS risk. Severity/Risk: Minor Versions affected: 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14 Versions fixed: 4.2.1, 4.1.4, 4.0.9 and 3.11.15 Reported by: Petr Skoda CVE identifier: CVE-2023-35131 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76683 Tracker issue: MDL-76683 XSS risk on groups page ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + ===================================================3D=3D=3D=3D=3D=3D=3D=