Все бюллетени/p9/ALT-PU-2020-3289-2
ALT-PU-2020-3289-2

Обновление пакета moodle в ветке p9

Версия3.10.0-alt1
Задание#261271
Опубликовано2026-02-04
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (47)

BDU:2022-07408
CRITICAL9.1

Уязвимость системы управления курсами Moodle, связанная с недостаточной проверкой введенных пользователем данных в библиотеке поставщика LTI, позволяющая нарушителю выполнять SSRF-атаки

Опубликовано: 2022-12-23Изменено: 2022-12-26
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.0КРИТИЧЕСКАЯ 9.4
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:N
BDU:2023-07958
CRITICAL9.8

Уязвимость виртуальной обучающей среды Moodle, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2023-11-17Изменено: 2024-04-03
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
BDU:2023-07959
HIGH8.8

Уязвимость виртуальной обучающей среды Moodle, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2023-11-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C
BDU:2024-02592
LOW3.3

Уязвимость виртуальной обучающей среды Moodle, связанная с раскрытием конфиденциальной информации несанкционированному субъекту, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-04-03
CVSS 3.xНИЗКАЯ 3.3
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0НИЗКАЯ 1.7
CVSS:2.0/AV:L/AC:L/Au:S/C:P/I:N/A:N
CVE-2020-25628
MEDIUM6.1

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Опубликовано: 2020-12-07Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2020-25629
HIGH8.8

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Опубликовано: 2020-12-07Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 6.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25630
HIGH7.5

A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.

Опубликовано: 2020-12-07Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-25631
MEDIUM6.1

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.

Опубликовано: 2020-12-07Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xСРЕДНЯЯ 6.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2020-25698
HIGH7.5

Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course. This could lead to them unenrolling users without having permission to do so. Versions affected: 3.5 to 3.5.14, 3.7 to 3.7.8, 3.8 to 3.8.5, 3.9 to 3.9.2 and earlier unsupported versions. Fixed in 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Опубликовано: 2020-11-19Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-25699
HIGH7.5

In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Опубликовано: 2020-11-19Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-25700
MEDIUM6.5

In moodle, some database module web services allowed students to add entries within groups they did not belong to. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.8.6, 3.7.9, 3.5.15, and 3.10.

Опубликовано: 2020-11-19Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE-2020-25701
MEDIUM5.3

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.

Опубликовано: 2020-11-19Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2020-25703
MEDIUM5.3

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10.

Опубликовано: 2020-11-19Изменено: 2026-06-17
CVSS 2.0СРЕДНЯЯ 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-45152
CRITICAL9.1

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

Опубликовано: 2022-11-25Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2023-5539
HIGH8.8

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-5540
HIGH8.8

A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-5545
MEDIUM5.3

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-5548
MEDIUM5.3

Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2023-5549
MEDIUM5.3

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2023-5550
CRITICAL9.8

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-5551
LOW3.3

Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.

Опубликовано: 2023-11-09Изменено: 2026-06-17
CVSS 3.xНИЗКАЯ 3.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GHSA-26fg-v32r-h663
MEDIUM5.3

Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Опубликовано: 2023-11-09Изменено: 2023-11-17
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GHSA-cwh2-q44x-5w3c
MEDIUM5.3

Moodle Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability

Опубликовано: 2023-11-09Изменено: 2023-11-17
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N