MSA-21-0023: Recursion denial of service possible due to recursive cURL in file repository

by Michael Hawkins.  

The file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.


...
Severity/Risk:Serious
Versions affected:3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed:3.11.1, 3.10.5 and 3.9.8
Reported by:0xkasper
CVE identifier:CVE-2021-36395
Chang
Leer más...

MSA-21-0022: Remote code execution risk when Shibboleth authentication is enabled

by Michael Hawkins.  

A remote code execution risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)


...
Severity/Risk:Serious
Versions affected:3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed:3.11.1, 3.10.5 and 3.9.8
Reported by:Robin Peraglie
Leer más...

MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream)

by Michael Hawkins.  

The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix.


...
Severity/Risk:Serious
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed:3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:Sara Arjona
CVE identifier:N/A
Changes (master):http://git.moodle.or
Leer más...

MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint

by Michael Hawkins.  

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions
Versions fixed:3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:Jordan Tomkinson
CVE
Leer más...