Educación a distancia Somos Expertos en servicios Moodle

  • Inicio
  • Moodle
    • Productos
    • Servicios
    • Sobre Moodle
    • Sobre Moodle Chile
  • Blog
    • Noticias
      • Seguridad Moodle
      • Planeta Moodle
      • Moodle.org Directo
      • Moodle Buzz
      • Moodle Foro
      • Google News
      • Todas las Noticias
    • Artículos
  • Cotizar

MSA-22-0007: Possible to reach the profile field badge criteria on a course page

Detalles
Publicado el 21 Marzo 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Version
Leer más...

MSA-22-0008: Upgrade PHPMailer to latest version (upstream)

Detalles
Publicado el 21 Marzo 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The PHPMailer library included with Moodle has been upgraded to the latest version, which includes security fixes.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed:3.11.6, 3.10.10 and 3.9.13
Reported by:Sara Arjona (@sarjona)
CVE identifier:N/A
Ch
Leer más...

MSA-22-0009: Upgrade CKEditor included in h5p-editor-php-library to latest version (upstream)

Detalles
Publicado el 21 Marzo 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The CKEditor included in the h5p-editor-php-library within Moodle has been upgraded to the latest version, which includes security fixes.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed:3.11.6, 3.10.10 and 3.9.13
Reported by:Sara Arjona
Leer más...

MSA-22-0005: SQL injection risk in Badges criteria code

Detalles
Publicado el 21 Marzo 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or...

Leer más...

MSA-22-0006: Users with moodle/site:uploadusers but without moodle/user:delete could delete users

Detalles
Publicado el 21 Marzo 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions
Versions fixed:3.11.6, 3.10.10 and
Leer más...

MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts

Detalles
Publicado el 24 Enero 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.4
Versions fixed:3.11.5
Reported by:Paul Holden
CVE identifier:CVE-2022-0332
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=c
Leer más...

MSA-22-0002: calendar:manageentries capability allows CRUD access to all calendar events

Detalles
Publicado el 24 Enero 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed:3.11.5, 3.10.9 and 3.9.12
Reported
Leer más...

MSA-22-0004: CSRF risk in badge alignment deletion

Detalles
Publicado el 24 Enero 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed:3.11.5, 3.10.9 and 3.9.12
Reported by:Ostapbender
CVE identifier:CVE-2022-0335
Changes
Leer más...

MSA-22-0003: Capability gradereport/user:view not always respected when navigating to a user's course grade report

Detalles
Publicado el 24 Enero 2022
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions
Versions fixed:3.11.5, 3.10.9 and 3.9.12
Reporte
Leer más...

MSA-21-0038: Remote code execution risk when restoring malformed backup file

Detalles
Publicado el 15 Noviembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

A remote code execution risk when restoring backup files was identified.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:3.11.4, 3.10.8 and 3.9.11
Reported by:Paul Holden
CVE identifier:CVE-2021-3943
Changes (master):http://git.moodle.org/gw?p=
Leer más...

MSA-21-0039: Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)

Detalles
Publicado el 15 Noviembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The upstream Moodle machine learning backend and its reference in /lib/mlbackend/python/classes/processor.php were upgraded, which includes some security updates.

Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about...

Leer más...

MSA-21-0040: Reflected XSS in filetype admin tool

Detalles
Publicado el 15 Noviembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:3.11.4, 3.10.8 and 3.9.11
Reported by:starlabs_sg
CVE identifier:CVE-2021-43558
C
Leer más...

MSA-21-0041: CSRF risk on delete related badge feature

Detalles
Publicado el 15 Noviembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:3.11.4, 3.10.8 and 3.9.11
Reported by:ostapbender
CVE identifier:CVE-2021-43559
Changes
Leer más...

MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events

Detalles
Publicado el 15 Noviembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Insufficient capability checks made it possible to fetch other users' calendar action events.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:3.11.4, 3.10.8 and 3.9.11
Reported by:0xkasper
CVE identifier:CVE-2021-43560
Changes (master):http://git
Leer más...

MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled

Detalles
Publicado el 20 Septiembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

A session hijack risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed:3.11.3, 3.10.7 and 3.9.10
Reported by:Robin
Leer más...

MSA-21-0033: Course participants download did not restrict which users could be exported

Detalles
Publicado el 20 Septiembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Insufficient capability checks made it possible for teachers to download users outside of their courses.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed:3.11.3, 3.10.7 and 3.9.10
Reported by:Paul Holden
CVE identifier:CVE-2021-40692
Changes
Leer más...

MSA-21-0034: Authentication bypass risk when using external database authentication

Detalles
Publicado el 20 Septiembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed:3.11.3, 3.10.7 and 3.9.10
Reported by:adeadead
CVE
Leer más...

MSA-21-0035: Arbitrary file read by site administrators via LaTeX preamble

Detalles
Publicado el 20 Septiembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed:3.11.3, 3.10.7 and 3.9.10
Reported by:raisin_bugbou
Leer más...

MSA-21-0036: Quiz unreleased grade disclosure via web service

Detalles
Publicado el 20 Septiembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed:3.11.3, 3.10.7 and 3.9.10
Reported by:Nadav Kavalerchik
CVE identifier:CVE-2021-40695
C
Leer más...

MSA-21-0036: Quiz unreleased grade disclosure via web service

Detalles
Publicado el 20 Septiembre 2021
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions
Versions fixed:3.11.3, 3.10.7 and 3.9.10
Reported by:Nadav Kavalerchik
CVE identifier:CVE-2021-40695
C
Leer más...

Más artículos...

  1. MSA-21-0022: Remote code execution risk when Shibboleth authentication is enabled
  2. MSA-21-0023: Recursion denial of service possible due to recursive cURL in file repository
  3. MSA-21-0024: Blind SSRF possible against cURL blocked hosts via redirect
  4. MSA-21-0025: Messaging web service allows deletion of other users' messages
  5. MSA-21-0026: Stored XSS in the web service token list via user ID number
  6. MSA-21-0027: Stored XSS in quiz override screens via user ID number
  7. MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions
  8. MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number
  9. MSA-21-0030: Insufficient escaping of users' names in account confirmation email
  10. MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email
  11. MSA-21-0012: Forum CSV export could result in posts from all courses being exported
  12. MSA-21-0013: Quiz unreleased grade disclosure via web service
  13. MSA-21-0014: Blind SQL injection possible via MNet authentication
  14. MSA-21-0015: Stored XSS in quiz grading report via user ID number
  15. MSA-21-0016: Files API should mitigate denial-of-service risk when adding to the draft file area
  16. MSA-21-0017: Last app access time is visible to non-site-admins on user profile page
  17. MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint
  18. MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream)
  19. MSA-21-0008: User full name disclosure within online users block
  20. MSA-21-0008: User full name disclosure within online users block

Página 1 de 58

  • Inicio
  • Anterior
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • Siguiente
  • Final
  • Home
  • Blog
  • Noticias
  • Todas las Noticias

Moodle-Chile.cl is not affiliated with or endorsed by the Moodle Project.

Powered by TILATAM S.A.