===================================================================== CERT-Renater Note d'Information No. 2024/VULN003 _____________________________________________________________________ DATE : 03/01/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18, 3.9.25. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=453758 https://moodle.org/mod/forum/discuss.php?d=453759 https://moodle.org/mod/forum/discuss.php?d=453760 https://moodle.org/mod/forum/discuss.php?d=453761 https://moodle.org/mod/forum/discuss.php?d=453762 https://moodle.org/mod/forum/discuss.php?d=453763 https://moodle.org/mod/forum/discuss.php?d=453764 https://moodle.org/mod/forum/discuss.php?d=453765 https://moodle.org/mod/forum/discuss.php?d=453766 https://moodle.org/mod/forum/discuss.php?d=453767 _____________________________________________________________________ MSA-23-0044: Authenticated remote code execution risk in logstore as manager par Michael Hawkins, jeudi 21 décembre 2023, 02:23 A remote code execution risk was identified in logstore. By default this was only available to managers. Severity/Risk: Serious Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2023-6661 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80174 Tracker issue: MDL-80174 Authenticated remote code execution risk in logstore as manager _____________________________________________________________________ MSA-23-0045: DOS risk in URL downloader par Michael Hawkins, jeudi 21 décembre 2023, 02:24 Insufficient recursion limitations resulted in a denial of service risk in the URL downloader. Severity/Risk: Serious Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: herocharge CVE identifier: CVE-2023-6662 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79759 Tracker issue: MDL-79759 DOS risk in URL downloader _____________________________________________________________________ MSA-23-0046: Authenticated remote code execution risk in course blocks par Michael Hawkins, jeudi 21 décembre 2023, 02:25 Nombre de réponses : 0 A remote code execution risk was identified in course blocks. By default this was only available to teachers and managers. Severity/Risk: Serious Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2023-6663 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79797 Tracker issue: MDL-79797 Authenticated remote code execution risk in course blocks _____________________________________________________________________ MSA-23-0047: Logs and Live logs course reports did not respect activity group settings par Michael Hawkins, jeudi 21 décembre 2023, 02:26 Separate Groups mode restrictions were not honoured in the Logs and Live logs course reports, which would display users from other groups. Severity/Risk: Minor Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: Ankit Agarwal CVE identifier: CVE-2023-6664 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41465 Tracker issue: MDL-41465 Logs and Live logs course reports did not respect activity group settings _____________________________________________________________________ MSA-23-0048: Stored XSS in grader report via user ID number par Michael Hawkins, jeudi 21 décembre 2023, 02:27 ID numbers displayed in the grader report required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 4.3 and 4.2 to 4.2.3 Versions fixed: 4.3.1 and 4.2.4 Reported by: Paul Holden CVE identifier: CVE-2023-6665 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80239 Tracker issue: MDL-80239 Stored XSS in grader report via user ID number _____________________________________________________________________ MSA-23-0049: Reflected XSS risk in grader report search par Michael Hawkins, jeudi 21 décembre 2023, 02:28 The grader report search required additional sanitizing to prevent a reflected XSS risk. Severity/Risk: Minor Versions affected: 4.3 and 4.2 to 4.2.3 Versions fixed: 4.3.1 and 4.2.4 Reported by: Paul Holden CVE identifier: CVE-2023-6666 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80287 Tracker issue: MDL-80287 Reflected XSS risk in grader report search _____________________________________________________________________ MSA-23-0050: Survey responses did not respect group settings par Michael Hawkins, jeudi 21 décembre 2023, 02:30 Separate Groups mode restrictions were not honoured in survey response reports, which would display users from other groups. Severity/Risk: Minor Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: Leon Stringer CVE identifier: CVE-2023-6667 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79980 Tracker issue: MDL-79980 Survey responses did not respect group settings _____________________________________________________________________ MSA-23-0051: Badge recipients are available to all users par Michael Hawkins, jeudi 21 décembre 2023, 02:30 Insufficient capability checks meant it was possible for all users to view the recipients of badges. Severity/Risk: Minor Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: Sara Arjona (@sarjona) CVE identifier: CVE-2023-6668 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80268 Tracker issue: MDL-80268 Badge recipients are available to all users _____________________________________________________________________ MSA-23-0052: XSS risk when manually running a task in the admin UI par Michael Hawkins, jeudi 21 décembre 2023, 02:32 Nombre de réponses : 0 The mtrace output when running a task in the admin UI required additional sanitizing to prevent an XSS risk. Severity/Risk: Minor Versions affected: 4.3, 4.2 to 4.2.3, 4.1 to 4.1.6, 4.0 to 4.0.11, 3.11 to 3.11.17, 3.9 to 3.9.24 and earlier unsupported versions Versions fixed: 4.3.1, 4.2.4, 4.1.7, 4.0.12, 3.11.18 and 3.9.25 Reported by: Brendan Heywood CVE identifier: CVE-2023-6669 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80309 Tracker issue: MDL-80309 XSS risk when manually running a task in the admin UI _____________________________________________________________________ MSA-23-0053: Reflected XSS risk on ad-hoc tasks page par Michael Hawkins, jeudi 21 décembre 2023, 02:34 The "classname" parameter on the admin ad-hoc tasks page required additional sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 4.3 and 4.2 to 4.2.3 Versions fixed: 4.3.1 and 4.2.4 Reported by: Paul Holden CVE identifier: CVE-2023-6670 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79839 Tracker issue: MDL-79839 Reflected XSS risk on ad-hoc tasks page ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================