====================================================================== CERT-Renater Note d'Information No. 2024/VULN289 _____________________________________________________________________ DATE : 19/06/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.4.1, 4.3.5, 4.2.8, 4.1.11. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=459498 https://moodle.org/mod/forum/discuss.php?d=459499 https://moodle.org/mod/forum/discuss.php?d=459500 https://moodle.org/mod/forum/discuss.php?d=459501 https://moodle.org/mod/forum/discuss.php?d=459502 _____________________________________________________________________ MSA-24-0021: BigBlueButton web service leaks meeting joining information to users who should not have access par Michael Hawkins, mercredi 19 juin 2024, 01:05 Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access. Severity/Risk: Minor Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11 Reported by: Paul Holden CVE identifier: CVE-2024-38273 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778 Tracker issue: MDL-81778 BigBlueButton web service leaks meeting joining information to users who should not have access _____________________________________________________________________ MSA-24-0022: Stored XSS via calendar's event title when deleting the event par Michael Hawkins, mercredi 19 juin 2024, 01:06 Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. Severity/Risk: Minor Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11 Reported by: Meirza CVE identifier: CVE-2024-38274 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412 Tracker issue: MDL-81412 Stored XSS via calendar's event title when deleting the event _____________________________________________________________________ MSA-24-0023: HTTP authorization header is preserved between "emulated redirects" par Michael Hawkins, mercredi 19 juin 2024, 01:07 The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. Severity/Risk: Minor Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11 Reported by: cameron1729 CVE identifier: CVE-2024-38275 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774 Tracker issue: MDL-81774 HTTP authorization header is preserved between "emulated redirects" _____________________________________________________________________ MSA-24-0024: CSRF risks due to misuse of confirm_sesskey par Michael Hawkins, mercredi 19 juin 2024, 01:09 Incorrect CSRF token checks resulted in multiple CSRF risks. Severity/Risk: Serious Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2024-38276 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890 Tracker issue: MDL-81890 CSRF risks due to misuse of confirm_sesskey _____________________________________________________________________ MSA-24-0025: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys par Michael Hawkins, mercredi 19 juin 2024, 01:10 A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. Severity/Risk: Minor Versions affected: 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions Versions fixed: 4.4.1, 4.3.5, 4.2.8 and 4.1.11 Reported by: Juan Leyva CVE identifier: CVE-2024-38277 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959 Tracker issue: MDL-80959 QR login key and auto-login key for the Moodle mobile app should be generated as separate keys ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================