Alert GCSA-22078 - Aggiornamento di sicurezza per Moodle

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

******************************************************************

alert ID: GCSA-22078
data: 19 luglio 2022
titolo: Aggiornamento di sicurezza per Moodle

******************************************************************

:: Descrizione del problema

Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte alcune vulnerabilita' di sicurezza.

MSA-22-0015: PostScript Code Injection / Remote code execution risk
MSA-22-0016: Arbitrary file read when importing lesson questions
MSA-22-0017: Stored XSS and blind SSRF possible via SCORM track details
MSA-22-0018: Open redirect risk in mobile auto-login feature
MSA-22-0019: LTI module reflected XSS risk - affecting unauthenticated users only
MSA-22-0020: Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream)

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

Moodle versioni precedenti alla 3.9.15
Moodle versioni precedenti alla 3.11.8
Moodle versioni precedenti alla 4.0.2

Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.


:: Impatto

Esecuzione remota di codice arbitrario (RCE)
Rivelazione di informazioni (ID)
Cross-Site Scripting (XSS)


:: Soluzioni

Aggiornare alle versioni piu' recenti

Moodle 3.9.15, 3.11.8 e 4.0.2

https://moodle.org/mod/forum/discuss.php?d=436231
https://docs.moodle.org/400/en/Upgrading
https://download.moodle.org/releases/latest/


:: Riferimenti

Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=436456
https://moodle.org/mod/forum/discuss.php?d=436457
https://moodle.org/mod/forum/discuss.php?d=436458
https://moodle.org/mod/forum/discuss.php?d=436459
https://moodle.org/mod/forum/discuss.php?d=436460
https://moodle.org/mod/forum/discuss.php?d=436461

Moodle 3.9.15 release notes
https://docs.moodle.org/dev/Moodle_3.9.15_release_notes

Moodle 3.11.8 release notes
https://docs.moodle.org/dev/Moodle_3.11.8_release_notes

Moodle 4.0.2 release notes
https://docs.moodle.org/dev/Moodle_4.0.2_release_notes

Moodle Security
https://docs.moodle.org/400/en/Security

Mitre CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35649
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35652
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35653


GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert

-----BEGIN PGP SIGNATURE-----

iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCYtZ72g0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBC7KIAoJg15/xB4SyOCwz53rO4gV1moLE4AJ9ovXHMmDjj
k+EgwWN5L4cmC8+rNg==
=b+hs
-----END PGP SIGNATURE-----