SB2024082033 - Multiple vulnerabilities in Moodle
Published: August 20, 2024 Updated: February 10, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2024-43439)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within H5P error message. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Code Injection (CVE-ID: CVE-2024-43425)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within calculated question types. A remote user can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Information disclosure (CVE-ID: CVE-2024-43426)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficient sanitizing in the TeX notation filter. A remote attacker can gain unauthorized access to sensitive information on the system.
4) Information disclosure (CVE-ID: CVE-2024-43427)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the admin presets export tool includes some secrets that should not be exported. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Use of cache containing sensitive information (CVE-ID: CVE-2024-43428)
CWE-ID: CWE-524 - Use of Cache Containing Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise user accounts.
The vulnerability exists due to cache poisoning via injection into storage. A remote attacker can gain access to sensitive information.
6) Information disclosure (CVE-ID: CVE-2024-43429)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to user information visibility control issues in gradebook reports. A remote user can gain unauthorized access to sensitive information on the system.
7) Improper access control (CVE-ID: CVE-2024-43430)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when using external methods for Quiz overrides. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
8) Improper access control (CVE-ID: CVE-2024-43431)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the IDOR issue in badges. A remote user can delete badges without permission to access.
9) Information disclosure (CVE-ID: CVE-2024-43432)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the authorization headers preserved between "emulated redirects". A remote attacker can gain unauthorized access to sensitive information on the system.
10) Improper access control (CVE-ID: CVE-2024-43433)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to Matrix room membership and power levels are not correctly applied/revoked for suspended Moodle users .
11) Cross-site request forgery (CVE-ID: CVE-2024-43434)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in Feedback non-respondents report. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-43435)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient capability checks. A remote user can create global glossary without being admin.
13) SQL injection (CVE-ID: CVE-2024-43436)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in XMLDB editor. A remote administrator can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
14) Improper access control (CVE-ID: CVE-2024-43438)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the IDOR issue in Feedback non-respondents report. A remote attacker can message arbitrary site users.
15) Code Injection (CVE-ID: CVE-2024-43440)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to local file inclusion when restoring malformed block backups. A remote attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Cross-site scripting (CVE-ID: CVE-2024-43437)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when restoring malicious course backup file. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://moodle.org/mod/forum/discuss.php?d=461209
- https://moodle.org/mod/forum/discuss.php?d=461193
- https://moodle.org/mod/forum/discuss.php?d=461194
- https://moodle.org/mod/forum/discuss.php?d=461195
- https://moodle.org/mod/forum/discuss.php?d=461196
- https://moodle.org/mod/forum/discuss.php?d=461197
- https://moodle.org/mod/forum/discuss.php?d=461198
- https://moodle.org/mod/forum/discuss.php?d=461199
- https://moodle.org/mod/forum/discuss.php?d=461200
- https://moodle.org/mod/forum/discuss.php?d=461202
- https://moodle.org/mod/forum/discuss.php?d=461203
- https://moodle.org/mod/forum/discuss.php?d=461205
- https://moodle.org/mod/forum/discuss.php?d=461206
- https://moodle.org/mod/forum/discuss.php?d=461208
- https://moodle.org/mod/forum/discuss.php?d=461210
- https://moodle.org/mod/forum/discuss.php?d=461207