A remote code execution risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.)
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | Robin Peraglie |
The file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-36395 |
| Chang |
Insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. (Note: The request response was still blocked and not available to the user.)
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported |
Insufficient capability checks meant message deletions were not limited to the current user.
| Severity/Risk: | Serious |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | 0xkasper |
| CVE identifier: | CVE-2021-36397 |
| Changes (master): | http://git.moodle.org |
ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 |
| Versions fixed: | 3.11.1 |
| Reported by: | Marina Glancy |
| CVE identifier: | CVE-2021-36398 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit& |
ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 |
| Versions fixed: | 3.11.1 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2021-36399 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=M |
Insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
| Severity/Risk: | Minor |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | Floerer |
| CVE identifier: | CVE-2021-36400 |
| Changes (master): | http://git.moodle. |
ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain.
| Severity/Risk: | Minor |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.1 |
Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | Babar Khan Akhunzada |
| CVE identifier: | CVE-2021-3 |
In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions |
| Versions fixed: | 3.11.1, 3.10.5 and 3.9.8 |
| Reported by: | i_am_nobody |
| CVE |
Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Daniel Konrad |
| Workaround: | Remove the Export Forum (mod/forum:exportforum) |
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 |
| Reported by: | Nadav Kavalerchik |
| CVE |
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported |
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 |
| Reported by: | Paul Holden |
| CVE |
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 |
| Reported by: | Ben Samtleben |
| CVE |
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default).
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3 |
| Versions fixed: | 3.11 and 3.10.4 |
| Reported by: | Strifel |
| CVE identifier: | CVE-2021-32477 |
| Changes (master): | h |
The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Jordan Tomkinson |
| CVE |
The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 |
| Versions fixed: | 3.11, 3.10.4, 3.9.7 and 3.8.9 |
| Reported by: | Sara Arjona |
| CVE identifier: | N/A |
| Changes (master): | http://git.moodle.or |
It was possible for some users without permission to view other users' full names to do so via the online users block.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Ankit Agarwal |
| Workarou |
It was possible for some users without permission to view other users' full names to do so via the online users block.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Ankit Agarwal |
| Workarou |