Seguridad Moodle - Elearning Tilatam

MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts

by Michael Hawkins.

An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

...

Severity/Risk:	Serious
Versions affected:	3.11 to 3.11.4
Versions fixed:	3.11.5
Reported by:	Paul Holden
CVE identifier:	CVE-2022-0332
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=c

by Michael Hawkins.

Insufficient capability checks made it possible to fetch other users' calendar action events.

...

Severity/Risk:	Minor
Versions affected:	3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:	3.11.4, 3.10.8 and 3.9.11
Reported by:	0xkasper
CVE identifier:	CVE-2021-43560
Changes (master):	http://git

by Michael Hawkins.

The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

...

Severity/Risk:	Serious
Versions affected:	3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:	3.11.4, 3.10.8 and 3.9.11
Reported by:	ostapbender
CVE identifier:	CVE-2021-43559
Changes

by Michael Hawkins.

A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.

...

Severity/Risk:	Serious
Versions affected:	3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:	3.11.4, 3.10.8 and 3.9.11
Reported by:	starlabs_sg
CVE identifier:	CVE-2021-43558
C