Can't view the page? View this email in your browser
To all registered Moodle Administrators,
I'm writing today to let you know that Moodle LMS 4.5.1, 4.4.5, 4.3.9 and 4.1.15 are now available via the usual open download channels; https://download.moodle.org and Git. The release notes for each version can be found at the following links:
As well as bug fixes, performance improvements and polishing, there are security fixes that you should be aware of. Details of the security issues that have been fixed in this release are listed at the bottom of this email.
Fixes and improvements that contribute to security best practices are also an important element of keeping Moodle instances and their data secure. Any security improvements are listed in the release notes.
As a registered Moodle admin, you receive notice of fixed security issues before they are published more widely. In approximately one week, the details will also be available from https://moodle.org/security, including the relevant CVE identifiers.
To avoid leaving your site vulnerable, we highly recommend you upgrade your sites to the latest Moodle version as soon as you can. If you cannot upgrade, then please check the below list carefully and patch your own system or switch off those features.
As with every release, a huge thank you goes out to everyone involved in reporting and fixing issues. It is a huge team effort, and everyone's hard work is very much appreciated by both Moodle HQ and the wider Moodle community.
Thanks for using Moodle and being part of the Moodle open source community.
Michael Hawkins
Moodle HQ
============================================================================== Security Fixes ==============================================================================
MSA-24-0051: Unprotected access to sensitive information via learning plan web
service
Description: Insufficient capability checks in a learning plan web
service could result in users having the ability to
retrieve information they did not have permission to access
(such as users' names).
Issue summary: Unprotected access to sensitive information via learning
plan web service
Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier
unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: lUcgryy
Issue no.: MDL-83921
CVE identifier: Pending
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83921
==============================================================================
MSA-24-0052: Tag index page displays other users tagged with the selected tag
Description: Insufficient checks meant users could see users tagged with
a tag, regardless of whether they had access to view the
users' profiles.
Issue summary: Tag index page displays other users tagged with the
selected tag
Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier
unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Frederik Milling Pytlick
Issue no.: MDL-82963
CVE identifier: Pending
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82963
==============================================================================
MSA-24-0053: Email change confirmation token available via preference
Description: On sites requiring a confirmation step to update a user's
email address, the token used to verify the change should
only be accessible via the confirmation email, but was
otherwise retrievable by the user.
Issue summary: Email change confirmation token available via preference
Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier
unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Vincent Schneider
Issue no.: MDL-82379
CVE identifier: Pending
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82379
==============================================================================
MSA-24-0054: Database activity issue in separate groups mode, for users not in
a group
Description: In a database activity with separate groups mode enabled,
users who were not in a group (and did not have permission
to access all groups) could see entries from members of all
groups in the activity, rather than just entries of users also
not in any groups. Note: Users within groups worked as
intended, only able to see entries belonging to other
members of their group(s).
Issue summary: Database activity issue in separate groups mode, for users
not in a group
Severity/Risk: Minor
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier
unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jaron Cohen
Issue no.: MDL-82757
CVE identifier: Pending
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82757
==============================================================================
MSA-24-0055: Reflected XSS in question bank filter
Description: Question bank filtering required additional sanitizing to
prevent a reflected XSS risk.
Issue summary: Reflected XSS in question bank filter
Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4 and 4.3 to 4.3.8
Versions fixed: 4.5.1, 4.4.5, and 4.3.9
Reported by: Andrey Alekseev (Positive Technologies)
Issue no.: MDL-83357
CVE identifier: Pending
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83357
==============================================================================
MSA-24-0056: Potential denial of service risk due to guest sessions' longer
timeout period
Description: Guest user sessions were given a longer timeout than
authenticated users, which could result in an elevated
denial of service risk.
Issue summary: Potential denial of service risk due to guest sessions'
longer timeout period
Severity/Risk: Serious
Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier
unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15
Reported by: Jerome Charaoui
Issue no.: MDL-61316
CVE identifier: Pending
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61316
==============================================================================
You are receiving this email because you asked for Moodle security news when you registered a Moodle site. If you no longer wish to receive these emails, please re-register your site with your new preferences or use the unsubscribe link below. Note that this inbox is unmonitored, so replies to this email will not be read.