Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1672
Moodle security updates
18 May 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Publisher: Moodle
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32478 CVE-2021-32477 CVE-2021-32476
CVE-2021-32475 CVE-2021-32474 CVE-2021-32473
CVE-2021-32472
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=422305&parent=1701629
https://moodle.org/mod/forum/discuss.php?d=422307&parent=1701631
https://moodle.org/mod/forum/discuss.php?d=422308&parent=1701632
https://moodle.org/mod/forum/discuss.php?d=422309&parent=1701633
https://moodle.org/mod/forum/discuss.php?d=422310&parent=1701635
https://moodle.org/mod/forum/discuss.php?d=422313&parent=1701638
https://moodle.org/mod/forum/discuss.php?d=422314&parent=1701639
https://moodle.org/mod/forum/discuss.php?d=422315&parent=1701640
Comment: This bulletin contains eight (8) Moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-21-0012: Forum CSV export could result in posts from all courses being
exported
Teachers exporting a forum in CSV format could receive a CSV of forums from all
courses in some circumstances.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Daniel Konrad
Workaround: Remove the Export Forum (mod/forum:exportforum) capability
from non-admin roles/users until the patch
has been applied.
CVE identifier: CVE-2021-32472
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71359
Tracker issue: MDL-71359 Forum CSV export could result in posts from all
courses being exported
- --------------------------------------------------------------------------------
MSA-21-0013: Quiz unreleased grade disclosure via web service
It was possible for a student to view their quiz grade before it had been
released, using a quiz web service.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Nadav Kavalerchik
CVE identifier: CVE-2021-32473
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70720
Tracker issue: MDL-70720 Quiz unreleased grade disclosure via web service
- --------------------------------------------------------------------------------
MSA-21-0014: Blind SQL injection possible via MNet authentication
An SQL injection risk existed on sites with MNet enabled and configured, via an
XML-RPC call from the connected peer host. Note that this required site
administrator access or access to the keypair.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Rekter0
CVE identifier: CVE-2021-32474
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70804
Tracker issue: MDL-70804 Blind SQL injection possible via MNet authentication
- --------------------------------------------------------------------------------
MSA-21-0015: Stored XSS in quiz grading report via user ID number
ID numbers displayed in the quiz grading report required additional sanitizing
to prevent a stored XSS risk.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Paul Holden
CVE identifier: CVE-2021-32475
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71130
Tracker issue: MDL-71130 Stored XSS in quiz grading report via user ID number
- --------------------------------------------------------------------------------
MSA-21-0016: Files API should mitigate denial-of-service risk when adding to
the draft file area
A denial-of-service risk was identified in the draft files area, due to it not
respecting user file upload limits.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and
earlier unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by: Ben Samtleben
CVE identifier: CVE-2021-32476
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69028
Tracker issue: MDL-69028 Files API should mitigate denial-of-service risk
when adding to the draft file area
- --------------------------------------------------------------------------------
MSA-21-0017: Last app access time is visible to non-site-admins on user profile
page
The last time a user accessed the mobile app is displayed on their profile
page, but should be restricted to users with the relevant capability (site
administrators by default).
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3
Versions fixed: 3.11 and 3.10.4
Reported by: Strifel
CVE identifier: CVE-2021-32477
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71513
Tracker issue: MDL-71513 Last app access time is visible to non-site-admins
on user profile page
- --------------------------------------------------------------------------------
MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint
The redirect URI in the LTI authorization endpoint required extra sanitizing to
prevent reflected XSS and open redirect risks.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier
unsupported versions
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Jordan Tomkinson
CVE identifier: CVE-2021-32478
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622
Tracker issue: MDL-70622 Reflected XSS and open redirect in LTI authorization
endpoint
- --------------------------------------------------------------------------------
MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream)
The H5P PHP library included with Moodle has been upgraded to the latest minor
version, which includes a security fix.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed: 3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by: Sara Arjona
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71408
Tracker issue: MDL-71408 Upgrade H5P PHP library to latest minor version
(upstream)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYKNMZ+NLKJtyKPYoAQg4FQ//eYCnZa4UQ32mTisn7dtxa3NuAlXv9TDL
5/qGEarwgz7DxUdge8TM9dXkMRTP9kvXveB2DzJryhUqPLGZ5L1Hg2suxe9ja7Fb
QuZMZs4+Jb1XyReM41kRAxfYxjoNsstJRABh5l+B9ZEYRodbqqeJGpt8OJkSq9Hb
yxfwxV+7Yi47d93uxpkDPNC2DXsIpUFG8dMmWnpeCXN5WXAozRaNRKUm85qgu/R2
TArPu0uLwcFOiDD+JsduogCNBk2vjWKfDmJC0FutskJiBJ1PbRY2C08CWiF4gxpG
s0yWxKvB3ZhYzTK3REkO9cm/zKZk5OS4aNWFw7AqHIB6Ly2rtynVRLb+Xb73Wwr8
LGREWAMqaGbUO/Q/75ch3Rhs4wLW8bYkLi455VrNlAc6b0/RYgkjvbfv6zHFfPHC
gfCjF3IlThz926iCqxRdiIBT7U+XVqxxLVF6rkdembHAJE8pm4IJshaegEEOs9En
NpbEs6TVnwfJY7zx9v5n/y2ptZxW9UhOjOUlllBaS/+w09OPtHBFj8zS/BELm0Yx
S2qcqkevEbV9Dp7jvgJMNXTiWPSrWt/TCF+SPZ3sdYe8AWtmdylZQlN64XoKXPhf
va8T19dhjh9n2/dbftKU45eoUtI2TCDnLiO3DZ0OOLGy5IUcZQHTUG38hWEgwdh9
8CvsZe0suHw=
=Qk8b
-----END PGP SIGNATURE-----