Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2431
Moodle: Multiple vulnerabilities
20 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Publisher: Moodle
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified
Delete Arbitrary Files -- Unknown/Unspecified
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2021-36403 CVE-2021-36402 CVE-2021-36401
CVE-2021-36400 CVE-2021-36399 CVE-2021-36398
CVE-2021-36397 CVE-2021-36396 CVE-2021-36395
CVE-2021-36394
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=424799&parent=1710818
https://moodle.org/mod/forum/discuss.php?d=424801&parent=1710820
https://moodle.org/mod/forum/discuss.php?d=424802&parent=1710821
https://moodle.org/mod/forum/discuss.php?d=424803&parent=1710822
https://moodle.org/mod/forum/discuss.php?d=424804&parent=1710823
https://moodle.org/mod/forum/discuss.php?d=424805&parent=1710824
https://moodle.org/mod/forum/discuss.php?d=424806&parent=1710825
https://moodle.org/mod/forum/discuss.php?d=424807&parent=1710826
https://moodle.org/mod/forum/discuss.php?d=424808&parent=1710827
https://moodle.org/mod/forum/discuss.php?d=424809&parent=1710828
Comment: This bulletin contains ten (10) Moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-21-0022: Remote code execution risk when Shibboleth authentication is
enabled
A remote code execution risk was identified in the Shibboleth authentication
plugin. ( Note: Shibboleth authentication is disabled by default in Moodle.)
Severity/Risk: Serious
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Robin Peraglie and Johannes Moritz
CVE identifier: CVE-2021-36394
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71957
Tracker issue: MDL-71957 Remote code execution risk when Shibboleth
authentication is enabled
- --------------------------------------------------------------------------------
MSA-21-0023: Recursion denial of service possible due to recursive cURL in file
repository
The file repository's URL parsing required additional recursion handling to
mitigate the risk of recursion denial of service.
Severity/Risk: Serious
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: 0xkasper
CVE identifier: CVE-2021-36395
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71922
Tracker issue: MDL-71922 Recursion denial of service possible due to
recursive cURL in file repository
- --------------------------------------------------------------------------------
MSA-21-0024: Blind SSRF possible against cURL blocked hosts via redirect
Insufficient redirect handling made it possible to blindly bypass cURL blocked
hosts/allowed ports restrictions, resulting in a blind SSRF risk. ( Note: The
request response was still blocked and not available to the user.)
Severity/Risk: Serious
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Rekter0 and Holme
CVE identifier: CVE-2021-36396
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71916
Tracker issue: MDL-71916 Blind SSRF possible against cURL blocked hosts via
redirect
- --------------------------------------------------------------------------------
MSA-21-0025: Messaging web service allows deletion of other users' messages
Insufficient capability checks meant message deletions were not limited to the
current user.
Severity/Risk: Serious
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: 0xkasper
CVE identifier: CVE-2021-36397
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71917
Tracker issue: MDL-71917 Messaging web service allows deletion of other
users' messages
- --------------------------------------------------------------------------------
MSA-21-0026: Stored XSS in the web service token list via user ID number
ID numbers displayed in the web service token list required additional
sanitizing to prevent a stored XSS risk.
Severity/Risk: Minor
Versions affected: 3.11
Versions fixed: 3.11.1
Reported by: Marina Glancy
CVE identifier: CVE-2021-36398
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71760
Tracker issue: MDL-71760 Stored XSS in the web service token list via user ID
number
- --------------------------------------------------------------------------------
MSA-21-0027: Stored XSS in quiz override screens via user ID number
ID numbers displayed in the quiz override screens required additional
sanitizing to prevent a stored XSS risk.
Severity/Risk: Minor
Versions affected: 3.11
Versions fixed: 3.11.1
Reported by: Paul Holden
CVE identifier: CVE-2021-36399
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71898
Tracker issue: MDL-71898 Stored XSS in quiz override screens via user ID
number
- --------------------------------------------------------------------------------
MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions
Insufficient capability checks made it possible to remove other users' calendar
URL subscriptions.
Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Floerer
CVE identifier: CVE-2021-36400
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71978
Tracker issue: MDL-71978 IDOR allows removal of other users' calendar URL
subscriptions
- --------------------------------------------------------------------------------
MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user
ID number
ID numbers exported in HTML data formats required additional sanitizing to
prevent a local stored XSS risk. Note that the XSS was part of the locally
downloaded file and not on the Moodle site's domain.
Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Paul Holden
CVE identifier: CVE-2021-36401
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71981
Tracker issue: MDL-71981 Stored XSS when exporting to data formats supporting
HTML via user ID number
- --------------------------------------------------------------------------------
MSA-21-0030: Insufficient escaping of users' names in account confirmation
email
Users' names required additional sanitizing in the account confirmation email,
to prevent a self-registration phishing risk.
Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: Babar Khan Akhunzada
CVE identifier: CVE-2021-36402
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58393
Tracker issue: MDL-58393 Insufficient escaping of users' names in account
confirmation email
- --------------------------------------------------------------------------------
MSA-21-0031: Messaging email notifications containing HTML may hide the final
line of the email
In some circumstances, email notifications of messages could have the link back
to the original message hidden by HTML, which may pose a phishing risk.
Severity/Risk: Minor
Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported
versions
Versions fixed: 3.11.1, 3.10.5 and 3.9.8
Reported by: i_am_nobody
CVE identifier: CVE-2021-36403
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71919
Tracker issue: MDL-71919 Messaging email notifications containing HTML may
hide the final line of the email
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYPYjIeNLKJtyKPYoAQhpjA//ZpNn9O5uU4R/cxBbAr+ndfv4mCc75tkn
0xt5o019CDoOze04g5CprSRJcxhDj2BZh0XcYn/UsGhnAgrWG9ywffYorLh9VKxa
V6VpoGujp57/uxJiZxXrKmd/DezmOPuGFoFvyCgvY2qTKCc7I1RTD1tNyFfLk6r5
22dC5eeIqD2eMziZqXBkNpWB7oYSSZ5mJxBI8xD6pRAdlQuLXVFIpUWOTIgiIaCU
CQL+OJTljlIX0xZOt18xNz3ulLK75vkFdVWluKdwYtoJplZAXbiKL//K2Hw5Q1JD
ighO8vxSZsBce0XMZRvopzE8jCku6C4MwvaaVC34H/5nv7qZc9A96aSUCXi+h6oF
+shv8g4ZWXBVjGnO+OSELVEhkKUNFKkv2oWhjntShbhVnSwMh1a4aUut+HZ6tg2e
DMKfbPmQ8aYSMrj5lmIrfKk+aMFTmL5SFK/Y+AUSvL/E4pwEZzW2FBPFZm/wgCtP
yJg+inLdX3Y7/LNKsrM7Pg3JmTFGqS0bakcxAA4LrpyCOoD1OeiHT8dig/Y9ZQsF
WWf0ZAFryHRlKUi0avFm1/NWFMHiwDdU3dFFbkATFH9N1JK1pjNBe80D2mW4vVre
78+pLX6SZSDnTPMH0Ed+9ObizxeOaHmvbGKxPDn60jLHf+D8Inmn1xRjcAGScdlc
aFhNadO8jps=
=HXYH
-----END PGP SIGNATURE-----