Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0314
Moodle security updates
28 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Publisher: Moodle
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20187 CVE-2021-20186 CVE-2021-20185
CVE-2021-20184 CVE-2021-20183
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=417166&parent=1680837
https://moodle.org/mod/forum/discuss.php?d=417167&parent=1680839
https://moodle.org/mod/forum/discuss.php?d=417168&parent=1680841
https://moodle.org/mod/forum/discuss.php?d=417170&parent=1680845
https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847
Comment: This bulletin contains five (5) Moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-21-0001: Search input template insufficiently escaped search queries
Some search inputs were vulnerable to reflected XSS due to insufficient
escaping of search queries.
Severity/Risk: Serious
Versions affected: 3.10
Versions fixed: 3.10.1
Reported by: kstpt
CVE identifier: CVE-2021-20183
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571
Tracker issue: MDL-70571 Search input template insufficiently escaped search
queries
- --------------------------------------------------------------------------------
MSA-21-0002: Grade information disclosure in grade's external fetch functions
Insufficient capability checks in some grade related web services meant
students were able to view other students' grades.
Severity/Risk: Minor
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6
Versions fixed: 3.10.1, 3.9.4 and 3.8.7
Reported by: Juan Segarra Montesinos
CVE identifier: CVE-2021-20184
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69797
Tracker issue: MDL-69797 Grade information disclosure in grade's external
fetch functions
- --------------------------------------------------------------------------------
MSA-21-0003: Client side denial of service via personal message
Messaging did not impose a character limit when sending messages, which could
result in client-side (browser) denial of service for users receiving very
large messages.
Severity/Risk: Minor
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier
unsupported versions
Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by: Rik Gouw
CVE identifier: CVE-2021-20185
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67782
Tracker issue: MDL-67782 Client side denial of service via personal message
- --------------------------------------------------------------------------------
MSA-21-0004: Stored XSS possible via TeX notation filter
If the TeX notation filter was enabled, additional sanitizing of TeX content
was required to prevent the risk of stored XSS.
Severity/Risk: Serious
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier
unsupported versions
Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by: Ata Hakcil
Workaround: Disable the TeX notation filter until the patch has been
applied. (Note that this filter is disabled
by default.)
CVE identifier: CVE-2021-20186
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69911
Tracker issue: MDL-69911 Stored XSS possible via TeX notation filter
- --------------------------------------------------------------------------------
MSA-21-0005: Arbitrary PHP code execution by site admins via Shibboleth
configuration
It was possible for site administrators to execute arbitrary PHP scripts via a
PHP include used during Shibboleth authentication.
Severity/Risk: Serious
Versions affected: 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier
unsupported versions
Versions fixed: 3.10.1, 3.9.4, 3.8.7 and 3.5.16
Reported by: Frédéric Massart
Workaround: Harcode preventexecpath to true in config.php, which prevents
site administrators setting some executable
paths via the UI. See https://docs.moodle.or
g/310/en/report/security/report_security_che
ck_preventexecpath for more details.
CVE identifier: CVE-2021-20187
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68486
Tracker issue: MDL-68486 Arbitrary PHP code execution by site admins via
Shibboleth configuration
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYBINpONLKJtyKPYoAQiwEQ/7B+nxkBX6WVFzUgC4ZXYddFuy1cMWZS5o
pUEhJ5G0mvrw74VkSwcwRceR5Wp3I1O4n5cNS1whvYZAehPF4VvBOfhNExBuQcwR
vPO3b1swpdbTgJVCH8FpMHuywudeizbv7V4n9RVl1L36ymewkyqvlGzfc45ZpUKv
JUw/0ZzUi+SjJOPPG+CoF2tD3l1pQH9s4EQur6Thw50QI0kn3ZkLKegyC3mGcy8W
M+xXuYrUEzZmBeabdzb//H8L8wtEcPLp3wRoCEaFoemh+l4LBXHn42406tojJb9N
G6/uDm47ffoqSZDyek5s6lQHGJwLEojmkJok4j3qQ9D5E10CcfyB1fkOZV4di2Zn
XO+vIWos+ft+7HY4slWsV/1WOLUNLb3S6ckO/CaoVhu+QhFIEoVrNjY2h1PGHZ+8
f61cHSpDLTrSjAlQJOR5Y0GDLWXmftbJ7nUkRBeI7BmzZnX4fzu3a0qsQP7x5mpf
YxV8O7ss/OGvumAmNPj7abTG4o2iD9YUbRU9eROo8MviYLuLCvuCve9izVPP8TiJ
YXyT/PFrRNFZq7e/+++QC3xow/v0dNoVboNwrES/B4lDwJ7ZUuDsYGnLqKEB6VYG
No34VYG1wDc4dyBMGZFNWlw4XgUwow8O41aLy7DA3yzsxTrVYcpgl0/v7g0eMSxK
TtYpHpcNKMQ=
=F67t
-----END PGP SIGNATURE-----