Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN247 _____________________________________________________________________ DATE : 23/04/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.5.4, 4.4.8, 4.3.12, 4.1.18. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=467592 https://moodle.org/mod/forum/discuss.php?d=467593 https://moodle.org/mod/forum/discuss.php?d=467594 https://moodle.org/mod/forum/discuss.php?d=467595 https://moodle.org/mod/forum/discuss.php?d=467596 https://moodle.org/mod/forum/discuss.php?d=467597 https://moodle.org/mod/forum/discuss.php?d=467598 https://moodle.org/mod/forum/discuss.php?d=467599 https://moodle.org/mod/forum/discuss.php?d=467600 https://moodle.org/mod/forum/discuss.php?d=467601 https://moodle.org/mod/forum/discuss.php?d=467602 https://moodle.org/mod/forum/discuss.php?d=467603 https://moodle.org/mod/forum/discuss.php?d=467604 https://moodle.org/mod/forum/discuss.php?d=467605 https://moodle.org/mod/forum/discuss.php?d=467606 https://moodle.org/mod/forum/discuss.php?d=467607 _____________________________________________________________________ MSA-25-0013: Remote code execution risk via MimeTeX command (upstream) par Michael Hawkins, mardi 22 avril 2025, 12:00 Insufficient sanitizing in an undocumented MimeTeX command resulted in a remote code execution risk for sites using MimeTeX (via the TeX Notation filter). Please also note that due to MimeTeX being un-maintained and without security updates for an extended period of time, it is considered an increasing security risk and not recommended for production use (see workaround below). For this reason MimeTeX support will also be removed from Moodle LMS in the near future. Severity/Risk: Serious Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: TaiYou Workaround: Disable the TeX Notation filter until the patch is applied. If an alternative mathematical formula filter is required, consider configuring the MathJax filter instead. Alternatively, if you provide valid paths to LaTeX, dvips and convert binaries in the TeX Notation filter settings, the filter will use those instead of MimeTeX, as MimeTeX is the filter's fallback option. If setting the TeX Notation filter binary paths, you may wish to additionally insert a false MimeTeX path such as "x" that is not a valid executable, so that even if the system attempts to use MimeTeX, it fails to execute (leaving it blank does not have the same effect, because it then uses a version of MimeTeX included with Moodle LMS). CVE identifier: CVE-2024-40446 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85152 Tracker issue: MDL-85152 Remote code execution risk via MimeTeX command (upstream) _____________________________________________________________________ MSA-25-0014: User DoS and name disclosure risks via IDOR in MFA email factor revoke action par Michael Hawkins, mardi 22 avril 2025, 12:01 A missing check in the Multi-Factor Authentication email factor's revoke/cancel action could lead to a Denial of Service risk for users logging in who have email as their only available second factor. If exploited, the impacted user's name was disclosed. Severity/Risk: Serious Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11 Versions fixed: 4.5.4, 4.4.8 and 4.3.12 Reported by: vi22 CVE identifier: CVE-2025-3625 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85015 Tracker issue: MDL-85015 User DoS and name disclosure risks via IDOR in MFA email factor revoke action _____________________________________________________________________ MSA-25-0015: Some user data available before completing second factor with MFA enabled par Michael Hawkins, mardi 22 avril 2025, 12:02 Nombre de réponses : 0 On sites with Multi-Factor Authentication enabled, it was possible for a user to access some of their data after passing only the first login factor (such as passing a username/password check). The user should have to also pass a second factor check before gaining access to that data. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11 Versions fixed: 4.5.4, 4.4.8 and 4.3.12 Reported by: AntnioVilelac CVE identifier: CVE-2025-3627 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84351 Tracker issue: MDL-84351 Some user data available before completing second factor with MFA enabled _____________________________________________________________________ MSA-25-0016: Assignment submissions search on anonymous submissions reveals student identities par Michael Hawkins, mardi 22 avril 2025, 12:03 Additional capability checks were required to prevent teachers from being able to identify a user's anonymous assignment submissions via the submissions search. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3 Versions fixed: 4.5.4 Reported by: Eliot CVE identifier: CVE-2025-3628 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84447 Tracker issue: MDL-84447 Assignment submissions search on anonymous submissions reveals student identities _____________________________________________________________________ MSA-25-0017: Self enrolment available before completing second factor with MFA enabled par Michael Hawkins, mardi 22 avril 2025, 12:04 On sites with Multi-Factor Authentication enabled, it was possible to use course self enrolment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrolment. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7 and 4.3 to 4.3.11 Versions fixed: 4.5.4, 4.4.8 and 4.3.12 Reported by: Guillaume Barat CVE identifier: CVE-2025-3634 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84784 Tracker issue: MDL-84784 Self enrolment available before completing second factor with MFA enabled _____________________________________________________________________ MSA-25-0018: CSRF risk in user tours manager allows tour duplication par Michael Hawkins, mardi 22 avril 2025, 12:05 The user tours duplicate tour action did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2025-3635 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84479 Tracker issue: MDL-84479 CSRF risk in user tours manager allows tour duplication _____________________________________________________________________ MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds par Michael Hawkins, mardi 22 avril 2025, 12:06 Insufficient capability checks made it possible to view RSS feed content a user does not have permission to access. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2025-3636 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84499 Tracker issue: MDL-84499 IDOR in RSS block allows access to additional RSS feeds _____________________________________________________________________ MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter par Michael Hawkins, mardi 22 avril 2025, 12:07 A user's CSRF token was unnecessarily included in the URL on the database module's edit and delete pages. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Simon Reinhart CVE identifier: CVE-2025-3637 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356 Tracker issue: MDL-65356 mod_data edit/delete pages pass CSRF token in GET parameter _____________________________________________________________________ MSA-25-0021: CSRF risk in Brickfield tool's analysis request action par Michael Hawkins, mardi 22 avril 2025, 12:08 The analysis request action in the Brickfield tool did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Vincent Schneider (cli-ish) CVE identifier: CVE-2025-3638 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84478 Tracker issue: MDL-84478 CSRF risk in Brickfield tool's analysis request action _____________________________________________________________________ MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users par Michael Hawkins, mardi 22 avril 2025, 12:09 Insufficient capability checks made it possible for a user enrolled in a course to access some details (full name and profile image URL) of other users they did not have permission to access. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Khikhi CVE identifier: CVE-2025-3640 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84750 Tracker issue: MDL-84750 IDOR in web service allows users enrolled in a course to access some details of other users _____________________________________________________________________ MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository par Michael Hawkins, mardi 22 avril 2025, 12:10 A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled. Severity/Risk: Serious Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Vincent Schneider (cli-ish) Workaround: Disable the Dropbox repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories). CVE identifier: CVE-2025-3641 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84475 Tracker issue: MDL-84475 Authenticated remote code execution risk in the Moodle LMS Dropbox repository _____________________________________________________________________ MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository par Michael Hawkins, mardi 22 avril 2025, 12:11 A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default this was only available to teachers and managers, on sites with the EQUELLA repository enabled. Severity/Risk: Serious Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Vincent Schneider (cli-ish) Workaround: Disable the EQUELLA repository until the patch is applied (Site Administration -> Plugins -> Repositories -> Manage repositories). CVE identifier: CVE-2025-3642 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84473 Tracker issue: MDL-84473 Authenticated remote code execution risk in the Moodle LMS EQUELLA repository _____________________________________________________________________ MSA-25-0025: Reflected XSS risk in policy tool par Michael Hawkins, mardi 22 avril 2025, 12:12 The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 CVE identifier: CVE-2025-3643 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-85104 Tracker issue: MDL-85104 Reflected XSS risk in policy tool _____________________________________________________________________ MSA-25-0026: AJAX section delete does not respect course_can_delete_section() par Michael Hawkins, mardi 22 avril 2025, 12:13 Additional checks were required to prevent users deleting course sections they did not have permission to modify. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: James E. Calder CVE identifier: CVE-2025-3644 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83994 Tracker issue: MDL-83994 AJAX section delete does not respect course_can_delete_section() _____________________________________________________________________ MSA-25-0027: IDOR in messaging web service allows access to some user details par Michael Hawkins, mardi 22 avril 2025, 12:14 Insufficient capability checks in a messaging web service made it possible to view other users' names and online status. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: ostapbender CVE identifier: CVE-2025-3645 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72704 Tracker issue: MDL-72704 IDOR in messaging web service allows access to some user details _____________________________________________________________________ MSA-25-0028: IDOR when accessing the cohorts report par Michael Hawkins, mardi 22 avril 2025, 12:15 Additional checks were required to ensure users can only fetch cohort data they are intended to have access to. Severity/Risk: Minor Versions affected: 4.5 to 4.5.3, 4.4 to 4.4.7, 4.3 to 4.3.11, 4.1 to 4.1.17 and earlier unsupported versions Versions fixed: 4.5.4, 4.4.8, 4.3.12 and 4.1.18 Reported by: Paul Holden CVE identifier: CVE-2025-3647 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84865 Tracker issue: MDL-84865 IDOR when accessing the cohorts report ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================