SB2024082033 - Multiple vulnerabilities in Moodle
Published: August 20, 2024 Updated: February 10, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2024-43439)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within H5P error message. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Code Injection (CVE-ID: CVE-2024-43425)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within calculated question types. A remote user can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Information disclosure (CVE-ID: CVE-2024-43426)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficient sanitizing in the TeX notation filter. A remote attacker can gain unauthorized access to sensitive information on the system.
4) Information disclosure (CVE-ID: CVE-2024-43427)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the admin presets export tool includes some secrets that should not be exported. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Use of cache containing sensitive information (CVE-ID: CVE-2024-43428)
The vulnerability allows a remote attacker to compromise user accounts.
The vulnerability exists due to cache poisoning via injection into storage. A remote attacker can gain access to sensitive information.
6) Information disclosure (CVE-ID: CVE-2024-43429)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to user information visibility control issues in gradebook reports. A remote user can gain unauthorized access to sensitive information on the system.
7) Improper access control (CVE-ID: CVE-2024-43430)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when using external methods for Quiz overrides. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
8) Improper access control (CVE-ID: CVE-2024-43431)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the IDOR issue in badges. A remote user can delete badges without permission to access.
9) Information disclosure (CVE-ID: CVE-2024-43432)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the authorization headers preserved between "emulated redirects". A remote attacker can gain unauthorized access to sensitive information on the system.
10) Improper access control (CVE-ID: CVE-2024-43433)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to Matrix room membership and power levels are not correctly applied/revoked for suspended Moodle users .
11) Cross-site request forgery (CVE-ID: CVE-2024-43434)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Feedback non-respondents report. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-43435)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient capability checks. A remote user can create global glossary without being admin.
13) SQL injection (CVE-ID: CVE-2024-43436)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in XMLDB editor. A remote administrator can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
14) Improper access control (CVE-ID: CVE-2024-43438)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the IDOR issue in Feedback non-respondents report. A remote attacker can message arbitrary site users.
15) Code Injection (CVE-ID: CVE-2024-43440)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to local file inclusion when restoring malformed block backups. A remote attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Cross-site scripting (CVE-ID: CVE-2024-43437)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when restoring malicious course backup file. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://moodle.org/mod/forum/discuss.php?d=461209
- https://moodle.org/mod/forum/discuss.php?d=461193
- https://moodle.org/mod/forum/discuss.php?d=461194
- https://moodle.org/mod/forum/discuss.php?d=461195
- https://moodle.org/mod/forum/discuss.php?d=461196
- https://moodle.org/mod/forum/discuss.php?d=461197
- https://moodle.org/mod/forum/discuss.php?d=461198
- https://moodle.org/mod/forum/discuss.php?d=461199
- https://moodle.org/mod/forum/discuss.php?d=461200
- https://moodle.org/mod/forum/discuss.php?d=461202
- https://moodle.org/mod/forum/discuss.php?d=461203
- https://moodle.org/mod/forum/discuss.php?d=461205
- https://moodle.org/mod/forum/discuss.php?d=461206
- https://moodle.org/mod/forum/discuss.php?d=461208
- https://moodle.org/mod/forum/discuss.php?d=461210
- https://moodle.org/mod/forum/discuss.php?d=461207