ALT Linux Team

Package moodle update in sisyphus on 2022-01-17

ALT-PU-2022-1064-2

Package moodle updated to version 3.11.5-alt1 for branch sisyphus in task 293548.

Closed vulnerabilities

Published: 2023-06-30

BDU:2023-03479

Уязвимость компонента mod_h5pactivity виртуальной обучающей среды Moodle, позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

Severity: CRITICAL (9.8)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2022-01-25
Modified: 2024-11-21

CVE-2022-0332

A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-01-25
Modified: 2024-11-21

CVE-2022-0333

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

Severity: MEDIUM (5.5)Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
Severity: LOW (3.8)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
References:
Published: 2022-01-25
Modified: 2024-11-21

CVE-2022-0334

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.

Severity: MEDIUM (4.0)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2022-01-25
Modified: 2024-11-21

CVE-2022-0335

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.

Severity: MEDIUM (6.8)Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2022-01-29
Modified: 2022-02-02

GHSA-6jhm-4vmx-mr76

SQL injection in Moodle

Severity: CRITICAL (9.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-01-29
Modified: 2022-02-02

GHSA-93pj-4p65-qmr9

Insufficient user authorization in Moodle

Severity: MEDIUM (4.3)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
Published: 2022-01-29
Modified: 2022-02-02

GHSA-m434-m5pv-p35w

Insufficient user authorization in Moodle

Severity: LOW (3.8)Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
References:
Published: 2022-01-29
Modified: 2022-02-02

GHSA-xpfv-89vg-r562

Cross Site Request Forgery in Moodle

Severity: HIGH (8.8)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: 2.1.2
Back to top