ALT Linux Team

Package moodle update in sisyphus on 2022-03-14

ALT-PU-2022-1476-1

Package moodle updated to version 3.11.6-alt1 for branch sisyphus in task 296583.

Closed vulnerabilities

Published: 2022-03-21

BDU:2022-01636

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры запроса SQL , позволяющая нарушителю выполнять произвольные SQL-запросы в базе данных

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-03-21

BDU:2022-01638

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками контроля доступа, позволяющая нарушителю настроить значки курса с помощью критериев поля профиля

Severity: MEDIUM (6.3) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
References:
Published: 2022-03-25
Modified: 2024-11-21

CVE-2022-0983

An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-04-29
Modified: 2024-11-21

CVE-2022-0984

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References:
Published: 2022-04-29
Modified: 2024-11-21

CVE-2022-0985

Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top