The file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-36395 |
| Chang |
A remote code execution risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | Robin Peraglie |
The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Sara Arjona |
| CVE identifier: | N/A |
| Changes (master): | http://git.moodle.or |
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Jordan Tomkinson |
| CVE |