Security announcements

MSA-24-0034: Matrix user/power level management not always working as expected with suspended users

Michael Hawkins發表於

Matrix room membership and power levels were not correctly applied/revoked for suspended Moodle users

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1 and 4.3 to 4.3.5
Versions fixed: 4.4.2, 4.3.6
Reported by: Michael Hawkins
Workaround: Manually manage suspended users within Matrix (as a moderator/admin), until the patch is applied.
CVE identifier: CVE-2024-43433
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81951
Tracker issue: MDL-81951 Matrix user/power level management not always working as expected with suspended users
討論這一議題  (至今有 0 篇回應)

MSA-24-0033: Authorization headers preserved between "emulated redirects"

Michael Hawkins發表於

The cURL wrapper in Moodle stripped HTTPAUTH and USERPWD headers during emulated redirects, but retained other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Marina Glancy
CVE identifier: CVE-2024-43432
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136
Tracker issue: MDL-82136 Authorization headers preserved between "emulated redirects"
討論這一議題  (至今有 0 篇回應)

MSA-24-0032: IDOR in badges allows deletion of arbitrary badges

Michael Hawkins發表於

Insufficient capability checks made it possible to delete badges a user does not have permission to access.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
CVE identifier: CVE-2024-43431
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82390
Tracker issue: MDL-82390 IDOR in badges allows deletion of arbitrary badges
討論這一議題  (至今有 0 篇回應)

MSA-24-0031: Lack of access control when using external methods for Quiz overrides

Michael Hawkins發表於

External API access to Quiz overrides contained insufficient access control.

Severity/Risk: Minor
Versions affected: 4.4 and 4.4.1
Versions fixed: 4.4.2
Reported by: Paul Holden
CVE identifier: CVE-2024-43430
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82633
Tracker issue: MDL-82633 Lack of access control when using external methods for Quiz overrides
討論這一議題  (至今有 0 篇回應)

MSA-24-0030: User information visibility control issues in gradebook reports

Michael Hawkins發表於

Some hidden user profile fields were visible in gradebook reports, which could result in some users without the "view hidden user fields" capability having access to the information.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Stefan Wilhelm
CVE identifier: CVE-2024-43429
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79541
Tracker issue: MDL-79541 User information visibility control issues in gradebook reports
討論這一議題  (至今有 0 篇回應)

MSA-24-0029: Cache poisoning via injection into storage

Michael Hawkins發表於

Additional localstorage validation was required to mitigate a cache poisoning risk.

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Andrew Lyons
CVE identifier: CVE-2024-43428
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81718
Tracker issue: MDL-81718 Cache poisoning via injection into storage
討論這一議題  (至今有 0 篇回應)

MSA-24-0028: Admin presets export tool includes some secrets that should not be exported

Michael Hawkins發表於

When creating an export of site administration presets, some sensitive secrets/keys were not being excluded from the export, which could result in them being unintentionally leaked if the presets were shared with a third party.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: Paul Holden
Workaround: Avoid exporting or distributing admin presets until the patch is applied.
CVE identifier: CVE-2024-43427
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79373
Tracker issue: MDL-79373 Admin presets export tool includes some secrets that should not be exported
討論這一議題  (至今有 0 篇回應)

MSA-24-0027: Arbitrary file read risk through pdfTeX

Michael Hawkins發表於

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: TaiYou
Workaround: Disable the TeX filter until the patch is applied.
CVE identifier: CVE-2024-43426
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82745
Tracker issue: MDL-82745 Arbitrary file read risk through pdfTeX
討論這一議題  (至今有 0 篇回應)

MSA-24-0026: Remote code execution via calculated question types

Michael Hawkins發表於

Additional restrictions were required to avoid a remote code execution risk in calculated question types. (Note: This required the capability to add/update questions.)

Severity/Risk: Serious
Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: RedTeam Pentesting GmbH
CVE identifier: CVE-2024-43425
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82576
Tracker issue: MDL-82576 Remote code execution via calculated question types
討論這一議題  (至今有 0 篇回應)

JavaScript “Pollykill” Vulnerability

Matt Porritt發表於

Hi All,

Some of you may have seen from various outlets that a vulnerability has been identified in the “polyfill.js” library and particularly the hosted version of that library (cdn.polyfill.io). This is a popular open source library that is used in many sites to add various javascript support features to older web browsers. 

In light of this new vulnerability we have conducted a review of our Moodle products, associated moodle.org and moodle.com sites as well as our Moodle Cloud sites. We can confirm that our systems are not affected by this issue. We do not use this library in our product codebase or in the code of our company sites.

As a point of clarification the Moodle LMS codebase does include a file named `polyfill.js`, which might raise concerns due to the similarity in names. However, we assure you that this file is entirely unrelated to the vulnerability identified, and is just a coincidence.

We take security very seriously. Our team continuously monitors for new threats and vulnerabilities, ensuring that our products remain secure and reliable. We have robust processes in place to assess and mitigate any potential risks swiftly and effectively.

More information on this exploit can be found at https://polykill.io/ and this Sansec article provides a good overview.

Kind Regards,
Matt Porritt
Head of Platform Solutions.

討論這一議題  (至今有 0 篇回應)