Security announcements

MSA-22-0032: Blind SSRF risk in LTI provider library

by Michael Hawkins -

Moodle's LTI provider library did not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Rekter0 and Holme
CVE identifier: CVE-2022-45152
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920
Tracker issue: MDL-71920 Blind SSRF risk in LTI provider library

MSA-22-0031: Stored XSS possible in some "social" user profile fields

by Michael Hawkins -

The "social" user profile field type performed insufficient escaping on some fields, resulting in a stored XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4 and 3.11 to 3.11.10
Versions fixed: 4.0.5 and 3.11.11
Reported by: Bernardo Cabral
Workaround: Update "social" user profile fields so their visibility is set to "not visible", until the patch is applied.
CVE identifier: CVE-2022-45151
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76131
Tracker issue: MDL-76131 Stored XSS possible in some "social" user profile fields

MSA-22-0030: Reflected XSS risk in policy tool

by Michael Hawkins -

The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Eric Merrill
CVE identifier: CVE-2022-45150
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76091
Tracker issue: MDL-76091 Reflected XSS risk in policy tool

MSA-22-0029: Course restore - CSRF token passed in course redirect URL

by Michael Hawkins -

A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.4, 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 4.0.5, 3.11.11 and 3.9.18
Reported by: Michael Hawkins
CVE identifier: CVE-2022-45149
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75862
Tracker issue: MDL-75862 Course restore - CSRF token passed in course redirect URL

MSA-22-0028: Apply upstream security fix to VideoJS library to remove XSS risk

by Michael Hawkins -

An upstream security patch was applied to the third party VideoJS library included with Moodle, on versions affected by an XSS risk.


Severity/Risk: Serious
Versions affected: 3.11 to 3.11.10, 3.9 to 3.9.17 and earlier unsupported versions
Versions fixed: 3.11.11 and 3.9.18
Reported by: Vincent
CVE identifier: CVE-2021-23414 (upstream)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75278
Tracker issue: MDL-75278 Apply upstream security fix to VideoJS library to remove XSS risk

MSA-22-0027: Quiz sequential navigation bypass using web services

by Michael Hawkins -

Insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.2, 3.11 to 3.11.8, 3.9 to 3.9.15 and earlier unsupported versions
Versions fixed: 4.0.3, 3.11.9 and 3.9.16
Reported by: omaralbalouli
CVE identifier: CVE-2022-40208
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75210
Tracker issue: MDL-75210 Quiz sequential navigation bypass using web services

MSA-22-0026: No groups filtering in H5P activity attempts report

by Michael Hawkins -

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Jari Vilkman and Bjørn Teistung
Workaround: Access to this feature can be revoked by removing the mod/h5pactivity:reviewattempts capability from relevant users until the patch is applied.
CVE identifier: CVE-2022-40316
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71662
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72012
Tracker issue: MDL-71662 and MDL-72012 No groups filtering in H5P activity attempts report

MSA-22-0025: Minor SQL injection risk in admin user browsing

by Michael Hawkins -

A limited SQL injection risk was identified in the "browse list of users" site administration page.


Severity/Risk: Minor
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Vincent
CVE identifier: CVE-2022-40315
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75283
Tracker issue: MDL-75283 Minor SQL injection risk in admin user browsing

MSA-22-0024: Remote code execution risk when restoring malformed backup file from Moodle 1.9

by Michael Hawkins -

A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Paul Holden
CVE identifier: CVE-2022-40314
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75405
Tracker issue: MDL-75405 Remote code execution risk when restoring malformed backup file from Moodle 1.9

MSA-22-0023: Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers

by Michael Hawkins -

Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load.


Severity/Risk: Serious
Versions affected: 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions
Versions fixed: 4.0.4, 3.11.10 and 3.9.17
Reported by: Adam Roberts, NCC Group
CVE identifier: CVE-2022-40313
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68066
Tracker issue: MDL-68066 Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers