Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions |
| Version |
The PHPMailer library included with Moodle has been upgraded to the latest version, which includes security fixes.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions |
| Versions fixed: | 3.11.6, 3.10.10 and 3.9.13 |
| Reported by: | Sara Arjona (@sarjona) |
| CVE identifier: | N/A |
| Ch |
The CKEditor included in the h5p-editor-php-library within Moodle has been upgraded to the latest version, which includes security fixes.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions |
| Versions fixed: | 3.11.6, 3.10.10 and 3.9.13 |
| Reported by: | Sara Arjona |
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or...
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions |
| Versions fixed: | 3.11.6, 3.10.10 and |
An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.4 |
| Versions fixed: | 3.11.5 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2022-0332 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=c |
The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions |
| Versions fixed: | 3.11.5, 3.10.9 and 3.9.12 |
| Reported |
The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions |
| Versions fixed: | 3.11.5, 3.10.9 and 3.9.12 |
| Reported by: | Ostapbender |
| CVE identifier: | CVE-2022-0335 |
| Changes |
Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions |
| Versions fixed: | 3.11.5, 3.10.9 and 3.9.12 |
| Reporte |
A remote code execution risk when restoring backup files was identified.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions |
| Versions fixed: | 3.11.4, 3.10.8 and 3.9.11 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2021-3943 |
| Changes (master): | http://git.moodle.org/gw?p= |
The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.
Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about...
A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions |
| Versions fixed: | 3.11.4, 3.10.8 and 3.9.11 |
| Reported by: | starlabs_sg |
| CVE identifier: | CVE-2021-43558 |
| C |
The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions |
| Versions fixed: | 3.11.4, 3.10.8 and 3.9.11 |
| Reported by: | ostapbender |
| CVE identifier: | CVE-2021-43559 |
| Changes |
Insufficient capability checks made it possible to fetch other users' calendar action events.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions |
| Versions fixed: | 3.11.4, 3.10.8 and 3.9.11 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-43560 |
| Changes (master): | http://git |
A session hijack risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions |
| Versions fixed: | 3.11.3, 3.10.7 and 3.9.10 |
| Reported by: | Robin |
Insufficient capability checks made it possible for teachers to download users outside of their courses.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions |
| Versions fixed: | 3.11.3, 3.10.7 and 3.9.10 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2021-40692 |
| Changes |
An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions |
| Versions fixed: | 3.11.3, 3.10.7 and 3.9.10 |
| Reported by: | adeadead |
| CVE |
Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions |
| Versions fixed: | 3.11.3, 3.10.7 and 3.9.10 |
| Reported by: | raisin_bugbou |
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions |
| Versions fixed: | 3.11.3, 3.10.7 and 3.9.10 |
| Reported by: | Nadav Kavalerchik |
| CVE identifier: | CVE-2021-40695 |
| C |
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions |
| Versions fixed: | 3.11.3, 3.10.7 and 3.9.10 |
| Reported by: | Nadav Kavalerchik |
| CVE identifier: | CVE-2021-40695 |
| C |