===================================================================== CERT-Renater Note d'Information No. 2023/VULN412 _____________________________________________________________________ DATE : 18/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.2.3, 4.1.6, 4.0.11, 3.11.17, 3.9.24. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=451580 https://moodle.org/mod/forum/discuss.php?d=451581 https://moodle.org/mod/forum/discuss.php?d=451582 https://moodle.org/mod/forum/discuss.php?d=451583 https://moodle.org/mod/forum/discuss.php?d=451584 https://moodle.org/mod/forum/discuss.php?d=451585 https://moodle.org/mod/forum/discuss.php?d=451586 https://moodle.org/mod/forum/discuss.php?d=451587 https://moodle.org/mod/forum/discuss.php?d=451588 https://moodle.org/mod/forum/discuss.php?d=451589 https://moodle.org/mod/forum/discuss.php?d=451590 https://moodle.org/mod/forum/discuss.php?d=451591 https://moodle.org/mod/forum/discuss.php?d=451592 _____________________________________________________________________ MSA-23-0031: Authenticated remote code execution risk in Lesson par Michael Hawkins, mardi 17 octobre 2023, 18:57 A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. Severity/Risk: Serious Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2023-5539 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408 Tracker issue: MDL-79408 Authenticated remote code execution risk in Lesson _____________________________________________________________________ MSA-23-0032: Authenticated remote code execution risk in IMSCP par Michael Hawkins, mardi 17 octobre 2023, 18:58 A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Severity/Risk: Serious Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2023-5540 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409 Tracker issue: MDL-79409 Authenticated remote code execution risk in IMSCP _____________________________________________________________________ MSA-23-0033: XSS risk when using CSV grade import method par Michael Hawkins, mardi 17 octobre 2023, 18:58 The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Attilio Ferrari Workaround: Verify the contents and trustworthiness of grade spreadsheets before importing them. CVE identifier: CVE-2023-5541 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79426 Tracker issue: MDL-79426 XSS risk when using CSV grade import method _____________________________________________________________________ MSA-23-0034: Students could see other students in "Only see own membership" groups par Michael Hawkins, mardi 17 octobre 2023, 19:00 Students in "Only see own membership" groups could see other students in the group, which should be hidden. Severity/Risk: Minor Versions affected: 4.2.2 Versions fixed: 4.2.3 Reported by: Eliot CVE identifier: CVE-2023-5542 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213 Tracker issue: MDL-79213 Students could see other students in "Only see own membership" groups _____________________________________________________________________ MSA-23-0035: Duplicating a BigBlueButton activity assigns the same meeting ID par Michael Hawkins, mardi 17 octobre 2023, 19:01 When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10 Versions fixed: 4.2.3, 4.1.6 and 4.0.11 Reported by: Lionel Caylat Workaround: Manually create a fresh BigBlueButton activity instead of duplicating, until the patch has been applied. CVE identifier: CVE-2023-5543 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795 Tracker issue: MDL-77795 Duplicating a BigBlueButton activity assigns the same meeting ID _____________________________________________________________________ MSA-23-0036: Stored XSS and potential IDOR risk in Wiki comments par Michael Hawkins, mardi 17 octobre 2023, 19:01 Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. Severity/Risk: Serious Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: h1w0rld CVE identifier: CVE-2023-5544 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79509 Tracker issue: MDL-79509 Stored XSS and potential IDOR risk in Wiki comments _____________________________________________________________________ MSA-23-0037: Auto-populated H5P author name causes a potential information leak par Michael Hawkins, mardi 17 octobre 2023, 19:02 H5P metadata automatically populated the author with the user's username, which could be sensitive information. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Josh Manders CVE identifier: CVE-2023-5545 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820 Tracker issue: MDL-78820 Auto-populated H5P author name causes a potential information leak _____________________________________________________________________ MSA-23-0038: Stored XSS in quiz grading report via user ID number par Michael Hawkins, mardi 17 octobre 2023, 19:03 ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5 and 4.0 to 4.0.10 Versions fixed: 4.2.3, 4.1.6 and 4.0.11 Reported by: Paul Holden CVE identifier: CVE-2023-5546 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78971 Tracker issue: MDL-78971 Stored XSS in quiz grading report via user ID number _____________________________________________________________________ MSA-23-0039: XSS risk when previewing data in course upload tool par Michael Hawkins, mardi 17 octobre 2023, 19:04 The course upload preview contained an XSS risk for users uploading unsafe data. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Paul Holden Workaround: Verify the contents and trustworthiness of course data before uploading it. CVE identifier: CVE-2023-5547 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79455 Tracker issue: MDL-79455 XSS risk when previewing data in course upload tool _____________________________________________________________________ MSA-23-0040: Make file serving endpoints revision control stricter par Michael Hawkins, mardi 17 octobre 2023, 19:04 Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Yaniv Nizry (SonarSource) CVE identifier: CVE-2023-5548 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846 Tracker issue: MDL-77846 Make file serving endpoints revision control stricter _____________________________________________________________________ MSA-23-0041: Insufficient capability checks when updating the parent of a course category par Michael Hawkins, mardi 17 octobre 2023, 19:05 Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Erica Bithell CVE identifier: CVE-2023-5549 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730 Tracker issue: MDL-66730 Insufficient capability checks when updating the parent of a course category _____________________________________________________________________ MSA-23-0042: RCE due to LFI risk in some misconfigured shared hosting environments par Michael Hawkins, mardi 17 octobre 2023, 19:06 In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. Severity/Risk: Serious Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: 0xkasper CVE identifier: CVE-2023-5550 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249 Tracker issue: MDL-72249 RCE due to LFI risk in some misconfigured shared hosting environments _____________________________________________________________________ MSA-23-0043: Forum summary report shows students from other groups when in Separate Groups mode par Michael Hawkins, mardi 17 octobre 2023, 19:07 Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. Severity/Risk: Minor Versions affected: 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions Versions fixed: 4.2.3, 4.1.6, 4.0.11, 3.11.17 and 3.9.24 Reported by: Fabián Glagovsky CVE identifier: CVE-2023-5551 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310 Tracker issue: MDL-79310 Forum summary report shows students from other groups when in Separate Groups mode ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================