Multiple Vulnerabilities in Moodle

Release Date: 21-08-2024 12:19:29

Multiple Vulnerabilities in Moodle

History:

21/08/2024 --- v1.0 -- Initial publication

Summary

On August 19, 2024, Moodle released a security advisory addressing sixteen vulnerabilities of various severities [1,2].

It is recommended updating as soon as possible.

Technical Details

Several CVEs have been assigned with a Serious severity or risk by Moodle.

The vulnerability CVE-2024-43440 is a Local File Inclusion (LFI) flaw triggered when restoring malformed block backups [3].

The vulnerability CVE-2024-43439 is a flaw in unsanitised H5P error messages allowing for Reflected Cross-Site Scripting (XSS) [4].

The vulnerability CVE-2024-43436 is an SQL injection flaw in the XMLDB editor tool available to site administrators [5].

The vulnerability CVE-2024-43434 is a flaw in the bulk message sending feature for the feedback module's non-respondents report due to an incorrect CSRF token check, and possibly leading to Cross-Site Request Forgery (CSRF) [6].

The vulnerability CVE-2024-43431 is an Insecure Direct Object Reference (IDOR) flaw that allows users to delete badges they do not have permission to access due to insufficient capability checks [7].

The vulnerability CVE-2024-43428 is a cache poisoning flaw due to insufficient validation of local storage, allowing injection into the storage mechanism [8].

The vulnerability CVE-2024-43426 is a serious arbitrary file read flaw due to insufficient sanitisation in the TeX notation filter, affecting sites where pdfTeX is available [9].

The vulnerability CVE-2024-43425 is a remote code execution flaw through calculated question types [10].