Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN664 _____________________________________________________________________ DATE : 23/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running moodle versions prior to 5.2.1, 5.1.5, 5.0.8, 4.5.12. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=481810 https://moodle.org/mod/forum/discuss.php?d=481811 https://moodle.org/mod/forum/discuss.php?d=481812 https://moodle.org/mod/forum/discuss.php?d=481813 https://moodle.org/mod/forum/discuss.php?d=481814 https://moodle.org/mod/forum/discuss.php?d=481817 https://moodle.org/mod/forum/discuss.php?d=481818 https://moodle.org/mod/forum/discuss.php?d=481819 https://moodle.org/mod/forum/discuss.php?d=481820 https://moodle.org/mod/forum/discuss.php?d=481821 https://moodle.org/mod/forum/discuss.php?d=481823 https://moodle.org/mod/forum/discuss.php?d=481824 https://moodle.org/mod/forum/discuss.php?d=481825 https://moodle.org/mod/forum/discuss.php?d=481826 https://moodle.org/mod/forum/discuss.php?d=481827 _____________________________________________________________________ MSA-26-0012: Arbitrary file read risk in Database activity module par Michael Hawkins, lundi 22 juin 2026, 19:18 An arbitrary file read risk was identified in the Database Activity module's import feature. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: POVGen CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88595 Tracker issue: MDL-88595 Arbitrary file read risk in Database activity module _____________________________________________________________________ MSA-26-0013: Email-based MFA bypass par Michael Hawkins, lundi 22 juin 2026, 19:19 A flaw in email-based multi-factor authentication made it possible for a user to bypass another user's MFA token check if using the email factor. Note: Valid login credentials (such as username and password) were still required to log into the account. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Brendan Heywood CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88767 Tracker issue: MDL-88767 Email-based MFA bypass _____________________________________________________________________ MSA-26-0014: Arbitrary file read risk in backup restore par Michael Hawkins, lundi 22 juin 2026, 19:20 An arbitrary file read risk was identified in the backup restore functionality. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: LoWeST CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88736 Tracker issue: MDL-88736 Arbitrary file read risk in backup restore _____________________________________________________________________ MSA-26-0015: RCE risk via admin presets import par Michael Hawkins, lundi 22 juin 2026, 19:20 A remote code execution risk was identified in the admin presets import feature. Note: This feature is only available to site administrators. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: LoWeST CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88735 Tracker issue: MDL-88735 RCE risk via admin presets import _____________________________________________________________________ MSA-26-0016: Missing group access checks in grade web services par Michael Hawkins, lundi 22 juin 2026, 19:21 Missing group access checks in some grade web services could allow a user to access grade and user information for students in groups they did not have permission to view. Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88667 Tracker issue: MDL-88667 Missing group access checks in grade web services _____________________________________________________________________ MSA-26-0017: IDOR allows arbitrary comment deletion par Michael Hawkins, lundi 22 juin 2026, 20:30 Additional checks were required to ensure users with the capability to delete comments can only do so in the contexts where they have the permission. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88619 Tracker issue: MDL-88619 IDOR allows arbitrary comment deletion _____________________________________________________________________ MSA-26-0018: CSRF risk in user homepage preference setting par Michael Hawkins, lundi 22 juin 2026, 20:31 The setting for users to set their own homepage preference did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88609 Tracker issue: MDL-88609 CSRF risk in user homepage preference setting _____________________________________________________________________ MSA-26-0019: CSRF risk in user profile page reset par Michael Hawkins, lundi 22 juin 2026, 20:31 The user profile page reset action did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88545 Tracker issue: MDL-88545 CSRF risk in user profile page reset _____________________________________________________________________ MSA-26-0020: Reflected XSS via Feedback import error message par Michael Hawkins, lundi 22 juin 2026, 20:32 The Feedback activity module's import functionality required additional sanitizing to prevent a reflected XSS risk. Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88543 Tracker issue: MDL-88543 Reflected XSS via Feedback import error message _____________________________________________________________________ MSA-26-0021: CSRF and XSS in grade item idnumber editing par Michael Hawkins, lundi 22 juin 2026, 20:32 The grade item ID number editing functionality did not include the necessary token to prevent a CSRF risk and also lacked sufficient output sanitizing to prevent an XSS risk. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88542 Tracker issue: MDL-88542 CSRF and XSS in grade item idnumber editing _____________________________________________________________________ MSA-26-0022: CSRF risk in group messaging state toggle par Michael Hawkins, lundi 22 juin 2026, 21:48 The actions to enable and disable group messaging did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88541 Tracker issue: MDL-88541 CSRF risk in group messaging state toggle _____________________________________________________________________ MSA-26-0023: CSRF risk when adding quiz section headings par Michael Hawkins, lundi 22 juin 2026, 21:49 The quiz feature to add section headings did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88540 Tracker issue: MDL-88540 CSRF risk when adding quiz section headings _____________________________________________________________________ MSA-26-0024: Missing capability checks in AI placement web services par Michael Hawkins, lundi 22 juin 2026, 21:49 Capability checks were missing from course assistance AI placement web services, which could allow users to make requests to those AI course assistance web services without having the relevant capabilities (if those features are enabled). Severity/Risk: Minor Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88533 Tracker issue: MDL-88533 Missing capability checks in AI placement web services _____________________________________________________________________ MSA-26-0025: CSRF risk in quiz attempt regrading par Michael Hawkins, lundi 22 juin 2026, 21:50 The regrade action in the quiz overview report did not include the necessary token to prevent a CSRF risk. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88531 Tracker issue: MDL-88531 CSRF risk in quiz attempt regrading _____________________________________________________________________ MSA-26-0026: Missing capability check in Assignment marker allocation par Michael Hawkins, lundi 22 juin 2026, 21:51 Insufficient capability checks in the Assignment module's marker allocation functionality allowed users without the required capability to allocate markers to submissions. Severity/Risk: Serious Versions affected: 5.2, 5.1 to 5.1.4, 5.0 to 5.0.7, 4.5 to 4.5.11 and earlier unsupported versions Versions fixed: 5.2.1, 5.1.5, 5.0.8 and 4.5.12 Reported by: Paul Holden CVE identifier: Pending (this will be updated once available) Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88529 Tracker issue: MDL-88529 Missing capability check in Assignment marker allocation ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================