Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0314 Moodle security updates 28 January 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-20187 CVE-2021-20186 CVE-2021-20185 CVE-2021-20184 CVE-2021-20183 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=417166&parent=1680837 https://moodle.org/mod/forum/discuss.php?d=417167&parent=1680839 https://moodle.org/mod/forum/discuss.php?d=417168&parent=1680841 https://moodle.org/mod/forum/discuss.php?d=417170&parent=1680845 https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847 Comment: This bulletin contains five (5) Moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-21-0001: Search input template insufficiently escaped search queries Some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries. Severity/Risk: Serious Versions affected: 3.10 Versions fixed: 3.10.1 Reported by: kstpt CVE identifier: CVE-2021-20183 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571 Tracker issue: MDL-70571 Search input template insufficiently escaped search queries - -------------------------------------------------------------------------------- MSA-21-0002: Grade information disclosure in grade's external fetch functions Insufficient capability checks in some grade related web services meant students were able to view other students' grades. Severity/Risk: Minor Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6 Versions fixed: 3.10.1, 3.9.4 and 3.8.7 Reported by: Juan Segarra Montesinos CVE identifier: CVE-2021-20184 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69797 Tracker issue: MDL-69797 Grade information disclosure in grade's external fetch functions - -------------------------------------------------------------------------------- MSA-21-0003: Client side denial of service via personal message Messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages. Severity/Risk: Minor Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16 Reported by: Rik Gouw CVE identifier: CVE-2021-20185 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67782 Tracker issue: MDL-67782 Client side denial of service via personal message - -------------------------------------------------------------------------------- MSA-21-0004: Stored XSS possible via TeX notation filter If the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS. Severity/Risk: Serious Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16 Reported by: Ata Hakcil Workaround: Disable the TeX notation filter until the patch has been applied. (Note that this filter is disabled by default.) CVE identifier: CVE-2021-20186 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69911 Tracker issue: MDL-69911 Stored XSS possible via TeX notation filter - -------------------------------------------------------------------------------- MSA-21-0005: Arbitrary PHP code execution by site admins via Shibboleth configuration It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication. Severity/Risk: Serious Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16 Reported by: Frédéric Massart Workaround: Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See https://docs.moodle.or g/310/en/report/security/report_security_che ck_preventexecpath for more details. CVE identifier: CVE-2021-20187 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68486 Tracker issue: MDL-68486 Arbitrary PHP code execution by site admins via Shibboleth configuration - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYBINpONLKJtyKPYoAQiwEQ/7B+nxkBX6WVFzUgC4ZXYddFuy1cMWZS5o pUEhJ5G0mvrw74VkSwcwRceR5Wp3I1O4n5cNS1whvYZAehPF4VvBOfhNExBuQcwR vPO3b1swpdbTgJVCH8FpMHuywudeizbv7V4n9RVl1L36ymewkyqvlGzfc45ZpUKv JUw/0ZzUi+SjJOPPG+CoF2tD3l1pQH9s4EQur6Thw50QI0kn3ZkLKegyC3mGcy8W M+xXuYrUEzZmBeabdzb//H8L8wtEcPLp3wRoCEaFoemh+l4LBXHn42406tojJb9N G6/uDm47ffoqSZDyek5s6lQHGJwLEojmkJok4j3qQ9D5E10CcfyB1fkOZV4di2Zn XO+vIWos+ft+7HY4slWsV/1WOLUNLb3S6ckO/CaoVhu+QhFIEoVrNjY2h1PGHZ+8 f61cHSpDLTrSjAlQJOR5Y0GDLWXmftbJ7nUkRBeI7BmzZnX4fzu3a0qsQP7x5mpf YxV8O7ss/OGvumAmNPj7abTG4o2iD9YUbRU9eROo8MviYLuLCvuCve9izVPP8TiJ YXyT/PFrRNFZq7e/+++QC3xow/v0dNoVboNwrES/B4lDwJ7ZUuDsYGnLqKEB6VYG No34VYG1wDc4dyBMGZFNWlw4XgUwow8O41aLy7DA3yzsxTrVYcpgl0/v7g0eMSxK TtYpHpcNKMQ= =F67t -----END PGP SIGNATURE-----