ALT-PU-2021-3335-2

Package moodle updated to version 3.11.4-alt1 for branch p10 in task 285173.

Уязвимость системы управления Moodle, связанная с ошибками управления генерации кода, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

References:

CVE-2021-3943

Уязвимость системы управления Moodle, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить привилегии

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: MEDIUM (6.4)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

References:

CVE-2021-43560

Уязвимость системы управления Moodle, связанная с непринятием мер по защите структуры веб-страниц, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Severity: MEDIUM (6.1)Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: MEDIUM (6.4)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

References:

CVE-2021-43558

Уязвимость функции «delete related badge» системы управления Moodle, связанная с межсайтовыми фольсификациями запросов, позволяющая нарушителю осуществить CSRF-атаку

Severity: MEDIUM (6.1)Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: MEDIUM (6.4)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

References:

CVE-2021-43559

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A remote code execution risk when restoring backup files was identified.

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

A session hijack risk was identified in the Shibboleth authentication plugin.

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Insufficient capability checks made it possible for teachers to download users outside of their courses.

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References:

An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability.

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account.

Severity: MEDIUM (4.9)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References:

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk.

Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Moodle type juggling vulnerability

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Moodle contains CSRF vulnerability

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

Moodle vulnerable to RCE via unsafe deserialization

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Moodle Improper Authentication

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References:

Moodle Insecure direct object reference (IDOR) in a calendar web service

Severity: MEDIUM (5.3)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References:

Moodle Exposure of Sensitive Information to an Unauthorized Actor

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References:

Moodle Improper Encoding or Escaping of Output

Severity: MEDIUM (4.9)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References:

Cross-site Scripting in moodle

Severity: MEDIUM (6.1)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Moodle Incorrect Authorization

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References:

Version: 2.1.2

Package moodle update in p10 on 2021-11-22

ALT-PU-2021-3335-2

Closed vulnerabilities

BDU:2021-06184

BDU:2021-06185

BDU:2021-06186

BDU:2021-06190

CVE-2021-3943

CVE-2021-40691

CVE-2021-40692

CVE-2021-40693

CVE-2021-40694

CVE-2021-40695

CVE-2021-43558

CVE-2021-43559

CVE-2021-43560

GHSA-2jxg-mv2m-j4r7

GHSA-3jrj-x6cj-97cp

GHSA-8jhp-2gcr-qw96

GHSA-92vh-mr2w-j2cr

GHSA-g39c-mccf-rxjv

GHSA-gp4w-f57r-9rx3

GHSA-m37g-mwcg-7j7v

GHSA-wpfp-q843-v772

GHSA-wr6q-xv23-rfq9