Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1672 Moodle security updates 18 May 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Denial of Service -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-32478 CVE-2021-32477 CVE-2021-32476 CVE-2021-32475 CVE-2021-32474 CVE-2021-32473 CVE-2021-32472 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=422305&parent=1701629 https://moodle.org/mod/forum/discuss.php?d=422307&parent=1701631 https://moodle.org/mod/forum/discuss.php?d=422308&parent=1701632 https://moodle.org/mod/forum/discuss.php?d=422309&parent=1701633 https://moodle.org/mod/forum/discuss.php?d=422310&parent=1701635 https://moodle.org/mod/forum/discuss.php?d=422313&parent=1701638 https://moodle.org/mod/forum/discuss.php?d=422314&parent=1701639 https://moodle.org/mod/forum/discuss.php?d=422315&parent=1701640 Comment: This bulletin contains eight (8) Moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-21-0012: Forum CSV export could result in posts from all courses being exported Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9 Reported by: Daniel Konrad Workaround: Remove the Export Forum (mod/forum:exportforum) capability from non-admin roles/users until the patch has been applied. CVE identifier: CVE-2021-32472 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359 Tracker issue: MDL-71359 Forum CSV export could result in posts from all courses being exported - -------------------------------------------------------------------------------- MSA-21-0013: Quiz unreleased grade disclosure via web service It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Nadav Kavalerchik CVE identifier: CVE-2021-32473 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70720 Tracker issue: MDL-70720 Quiz unreleased grade disclosure via web service - -------------------------------------------------------------------------------- MSA-21-0014: Blind SQL injection possible via MNet authentication An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Rekter0 CVE identifier: CVE-2021-32474 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70804 Tracker issue: MDL-70804 Blind SQL injection possible via MNet authentication - -------------------------------------------------------------------------------- MSA-21-0015: Stored XSS in quiz grading report via user ID number ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Paul Holden CVE identifier: CVE-2021-32475 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71130 Tracker issue: MDL-71130 Stored XSS in quiz grading report via user ID number - -------------------------------------------------------------------------------- MSA-21-0016: Files API should mitigate denial-of-service risk when adding to the draft file area A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 Reported by: Ben Samtleben CVE identifier: CVE-2021-32476 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69028 Tracker issue: MDL-69028 Files API should mitigate denial-of-service risk when adding to the draft file area - -------------------------------------------------------------------------------- MSA-21-0017: Last app access time is visible to non-site-admins on user profile page The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Severity/Risk: Minor Versions affected: 3.10 to 3.10.3 Versions fixed: 3.11 and 3.10.4 Reported by: Strifel CVE identifier: CVE-2021-32477 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71513 Tracker issue: MDL-71513 Last app access time is visible to non-site-admins on user profile page - -------------------------------------------------------------------------------- MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Severity/Risk: Minor Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9 Reported by: Jordan Tomkinson CVE identifier: CVE-2021-32478 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622 Tracker issue: MDL-70622 Reflected XSS and open redirect in LTI authorization endpoint - -------------------------------------------------------------------------------- MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream) The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix. Severity/Risk: Serious Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8 Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9 Reported by: Sara Arjona CVE identifier: N/A Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71408 Tracker issue: MDL-71408 Upgrade H5P PHP library to latest minor version (upstream) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYKNMZ+NLKJtyKPYoAQg4FQ//eYCnZa4UQ32mTisn7dtxa3NuAlXv9TDL 5/qGEarwgz7DxUdge8TM9dXkMRTP9kvXveB2DzJryhUqPLGZ5L1Hg2suxe9ja7Fb QuZMZs4+Jb1XyReM41kRAxfYxjoNsstJRABh5l+B9ZEYRodbqqeJGpt8OJkSq9Hb yxfwxV+7Yi47d93uxpkDPNC2DXsIpUFG8dMmWnpeCXN5WXAozRaNRKUm85qgu/R2 TArPu0uLwcFOiDD+JsduogCNBk2vjWKfDmJC0FutskJiBJ1PbRY2C08CWiF4gxpG s0yWxKvB3ZhYzTK3REkO9cm/zKZk5OS4aNWFw7AqHIB6Ly2rtynVRLb+Xb73Wwr8 LGREWAMqaGbUO/Q/75ch3Rhs4wLW8bYkLi455VrNlAc6b0/RYgkjvbfv6zHFfPHC gfCjF3IlThz926iCqxRdiIBT7U+XVqxxLVF6rkdembHAJE8pm4IJshaegEEOs9En NpbEs6TVnwfJY7zx9v5n/y2ptZxW9UhOjOUlllBaS/+w09OPtHBFj8zS/BELm0Yx S2qcqkevEbV9Dp7jvgJMNXTiWPSrWt/TCF+SPZ3sdYe8AWtmdylZQlN64XoKXPhf va8T19dhjh9n2/dbftKU45eoUtI2TCDnLiO3DZ0OOLGy5IUcZQHTUG38hWEgwdh9 8CvsZe0suHw= =Qk8b -----END PGP SIGNATURE-----