Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2431 Moodle: Multiple vulnerabilities 20 July 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Delete Arbitrary Files -- Unknown/Unspecified Cross-site Scripting -- Remote with User Interaction Denial of Service -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-36403 CVE-2021-36402 CVE-2021-36401 CVE-2021-36400 CVE-2021-36399 CVE-2021-36398 CVE-2021-36397 CVE-2021-36396 CVE-2021-36395 CVE-2021-36394 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=424799&parent=1710818 https://moodle.org/mod/forum/discuss.php?d=424801&parent=1710820 https://moodle.org/mod/forum/discuss.php?d=424802&parent=1710821 https://moodle.org/mod/forum/discuss.php?d=424803&parent=1710822 https://moodle.org/mod/forum/discuss.php?d=424804&parent=1710823 https://moodle.org/mod/forum/discuss.php?d=424805&parent=1710824 https://moodle.org/mod/forum/discuss.php?d=424806&parent=1710825 https://moodle.org/mod/forum/discuss.php?d=424807&parent=1710826 https://moodle.org/mod/forum/discuss.php?d=424808&parent=1710827 https://moodle.org/mod/forum/discuss.php?d=424809&parent=1710828 Comment: This bulletin contains ten (10) Moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-21-0022: Remote code execution risk when Shibboleth authentication is enabled A remote code execution risk was identified in the Shibboleth authentication plugin. ( Note: Shibboleth authentication is disabled by default in Moodle.) Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Robin Peraglie and Johannes Moritz CVE identifier: CVE-2021-36394 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71957 Tracker issue: MDL-71957 Remote code execution risk when Shibboleth authentication is enabled - -------------------------------------------------------------------------------- MSA-21-0023: Recursion denial of service possible due to recursive cURL in file repository The file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: 0xkasper CVE identifier: CVE-2021-36395 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71922 Tracker issue: MDL-71922 Recursion denial of service possible due to recursive cURL in file repository - -------------------------------------------------------------------------------- MSA-21-0024: Blind SSRF possible against cURL blocked hosts via redirect Insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk. ( Note: The request response was still blocked and not available to the user.) Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Rekter0 and Holme CVE identifier: CVE-2021-36396 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71916 Tracker issue: MDL-71916 Blind SSRF possible against cURL blocked hosts via redirect - -------------------------------------------------------------------------------- MSA-21-0025: Messaging web service allows deletion of other users' messages Insufficient capability checks meant message deletions were not limited to the current user. Severity/Risk: Serious Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: 0xkasper CVE identifier: CVE-2021-36397 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71917 Tracker issue: MDL-71917 Messaging web service allows deletion of other users' messages - -------------------------------------------------------------------------------- MSA-21-0026: Stored XSS in the web service token list via user ID number ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 3.11 Versions fixed: 3.11.1 Reported by: Marina Glancy CVE identifier: CVE-2021-36398 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71760 Tracker issue: MDL-71760 Stored XSS in the web service token list via user ID number - -------------------------------------------------------------------------------- MSA-21-0027: Stored XSS in quiz override screens via user ID number ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk. Severity/Risk: Minor Versions affected: 3.11 Versions fixed: 3.11.1 Reported by: Paul Holden CVE identifier: CVE-2021-36399 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71898 Tracker issue: MDL-71898 Stored XSS in quiz override screens via user ID number - -------------------------------------------------------------------------------- MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions Insufficient capability checks made it possible to remove other users' calendar URL subscriptions. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Floerer CVE identifier: CVE-2021-36400 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71978 Tracker issue: MDL-71978 IDOR allows removal of other users' calendar URL subscriptions - -------------------------------------------------------------------------------- MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Paul Holden CVE identifier: CVE-2021-36401 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71981 Tracker issue: MDL-71981 Stored XSS when exporting to data formats supporting HTML via user ID number - -------------------------------------------------------------------------------- MSA-21-0030: Insufficient escaping of users' names in account confirmation email Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: Babar Khan Akhunzada CVE identifier: CVE-2021-36402 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58393 Tracker issue: MDL-58393 Insufficient escaping of users' names in account confirmation email - -------------------------------------------------------------------------------- MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk. Severity/Risk: Minor Versions affected: 3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions Versions fixed: 3.11.1, 3.10.5 and 3.9.8 Reported by: i_am_nobody CVE identifier: CVE-2021-36403 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71919 Tracker issue: MDL-71919 Messaging email notifications containing HTML may hide the final line of the email - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYPYjIeNLKJtyKPYoAQhpjA//ZpNn9O5uU4R/cxBbAr+ndfv4mCc75tkn 0xt5o019CDoOze04g5CprSRJcxhDj2BZh0XcYn/UsGhnAgrWG9ywffYorLh9VKxa V6VpoGujp57/uxJiZxXrKmd/DezmOPuGFoFvyCgvY2qTKCc7I1RTD1tNyFfLk6r5 22dC5eeIqD2eMziZqXBkNpWB7oYSSZ5mJxBI8xD6pRAdlQuLXVFIpUWOTIgiIaCU CQL+OJTljlIX0xZOt18xNz3ulLK75vkFdVWluKdwYtoJplZAXbiKL//K2Hw5Q1JD ighO8vxSZsBce0XMZRvopzE8jCku6C4MwvaaVC34H/5nv7qZc9A96aSUCXi+h6oF +shv8g4ZWXBVjGnO+OSELVEhkKUNFKkv2oWhjntShbhVnSwMh1a4aUut+HZ6tg2e DMKfbPmQ8aYSMrj5lmIrfKk+aMFTmL5SFK/Y+AUSvL/E4pwEZzW2FBPFZm/wgCtP yJg+inLdX3Y7/LNKsrM7Pg3JmTFGqS0bakcxAA4LrpyCOoD1OeiHT8dig/Y9ZQsF WWf0ZAFryHRlKUi0avFm1/NWFMHiwDdU3dFFbkATFH9N1JK1pjNBe80D2mW4vVre 78+pLX6SZSDnTPMH0Ed+9ObizxeOaHmvbGKxPDn60jLHf+D8Inmn1xRjcAGScdlc aFhNadO8jps= =HXYH -----END PGP SIGNATURE-----