Security announcements

MSA-24-0054: Database activity issue in separate groups mode, for users not in a group

Michael Hawkins發表於

In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups. Note: Users within groups worked as intended, only able to see entries belonging to other members of their group(s).

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jaron Cohen
CVE identifier: CVE-2024-55646
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82757
Tracker issue: MDL-82757 Database activity issue in separate groups mode, for users not in a group
討論這一議題  (至今有 0 篇回應)

MSA-24-0053: Email change confirmation token available via preference

Michael Hawkins發表於

On sites requiring a confirmation step to update a user's email address, the token used to verify the change should only be accessible via the confirmation email, but was otherwise retrievable by the user.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Vincent Schneider (cli-ish)
CVE identifier: CVE-2024-55645
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82379
Tracker issue: MDL-82379 Email change confirmation token available via preference
討論這一議題  (至今有 0 篇回應)

MSA-24-0052: Tag index page displays other users tagged with the selected tag

Michael Hawkins發表於

Insufficient checks meant users could see users tagged with a tag, regardless of whether they had access to view the users' profiles.

Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Frederik Milling Pytlick
CVE identifier: CVE-2024-55644
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82963
Tracker issue: MDL-82963 Tag index page displays other users tagged with the selected tag
討論這一議題  (至今有 0 篇回應)

MSA-24-0051: Unprotected access to sensitive information via learning plan web service

Michael Hawkins發表於

Insufficient capability checks in a learning plan web service could result in users having the ability to retrieve information they did not have permission to access (such as users' names).

Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: lUcgryy
CVE identifier: CVE-2024-55643
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83921
Tracker issue: MDL-83921 Unprotected access to sensitive information via learning plan web service
討論這一議題  (至今有 0 篇回應)

MSA-24-0050: IDOR when fetching report schedules

Michael Hawkins發表於

Additional checks were required to ensure users can only access the schedule of a report if they have permission to edit that report.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48901
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83180
Tracker issue: MDL-83180 IDOR when fetching report schedules
討論這一議題  (至今有 0 篇回應)

MSA-24-0049: IDOR when accessing list of badge recipients

Michael Hawkins發表於

Additional checks were required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48900
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83178
Tracker issue: MDL-83178 IDOR when accessing list of badge recipients
討論這一議題  (至今有 0 篇回應)

MSA-24-0048: IDOR when accessing list of course badges

Michael Hawkins發表於

Additional checks were required to ensure users can only fetch the list of course badges for courses they are intended to have access to.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3
Versions fixed: 4.4.4
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48899
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83179
Tracker issue: MDL-83179 IDOR when accessing list of course badges
討論這一議題  (至今有 0 篇回應)

MSA-24-0047: Some users can delete audiences of other reports

Michael Hawkins發表於

Users with access to delete audiences from some reports could delete audiences from other reports they did not have permission to delete from.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Frédéric Massart
CVE identifier: CVE-2024-48898
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83181
Tracker issue: MDL-83181 Some users can delete audiences of other reports
討論這一議題  (至今有 0 篇回應)

MSA-24-0046: IDOR in edit/delete RSS feed

Michael Hawkins發表於

Additional checks were required to ensure users can only edit or delete RSS feeds they have permission to modify.

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Paul Holden
CVE identifier: CVE-2024-48897
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82386
Tracker issue: MDL-82386 IDOR in edit/delete RSS feed
討論這一議題  (至今有 0 篇回應)

MSA-24-0045: Users' names returned in messaging error message

Michael Hawkins發表於

It was possible for users with the "send message" capability to view other users' names they may not otherwise have access to, via an error message in Messaging. (Note: The name returned followed the full name format configured on the site).

Severity/Risk: Minor
Versions affected: 4.4 to 4.4.3, 4.3 to 4.3.7, 4.2 to 4.2.10, 4.1 to 4.1.13 and earlier unsupported versions
Versions fixed: 4.4.4, 4.3.8, 4.2.11 and 4.1.14
Reported by: Bruno Kirschner (Recurity Labs)
CVE identifier: CVE-2024-48896
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83352
Tracker issue: MDL-83352 Users' names returned in messaging error message
討論這一議題  (至今有 0 篇回應)