Alert GCSA-22107 - Aggiornamento di sicurezza per Moodle
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
******************************************************************
alert ID: GCSA-22107
data: 20 settembre 2022
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte alcune vulnerabilita' di sicurezza.
MSA-22-0023: Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers
MSA-22-0024: Remote code execution risk when restoring malformed backup file from Moodle 1.9
MSA-22-0025: Minor SQL injection risk in admin user browsing
MSA-22-0026: No groups filtering in H5P activity attempts report
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 3.9.17
Moodle versioni precedenti alla 3.11.10
Moodle versioni precedenti alla 4.0.4
Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.
:: Impatto
Cross-site Scripting (XSS)
Denial of Service (DoS)
Esecuzione remota di codice arbitrario (RCE)
SQL Injection (SQLi)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 3.9.17, 3.11.10 e 4.0.4
https://moodle.org/mod/forum/discuss.php?d=438139
https://moodledev.io/general/releases
https://docs.moodle.org/400/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=438392
https://moodle.org/mod/forum/discuss.php?d=438393
https://moodle.org/mod/forum/discuss.php?d=438394
https://moodle.org/mod/forum/discuss.php?d=438395
Moodle 4.0.4 release notes
https://moodledev.io/general/releases/4.0/4.0.4
Moodle 3.11.10 release notes
https://moodledev.io/general/releases/3.11/3.11.10
Moodle 3.9.17 release notes
https://moodledev.io/general/releases/3.9/3.9.17
Moodle Security
https://docs.moodle.org/400/en/Security
Mitre CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40314
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40316
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCYyl7TQ0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBC9K0Anilam4+ksnnDHVx7jrM7KmWtYy7CAJ0bwHjhwcHZ
QHu/ZKilK8wPgwwRAg==
=lHrR
-----END PGP SIGNATURE-----
Hash: SHA256
******************************************************************
alert ID: GCSA-22107
data: 20 settembre 2022
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte alcune vulnerabilita' di sicurezza.
MSA-22-0023: Stored XSS and page denial of service risks due to recursive rendering in Mustache template helpers
MSA-22-0024: Remote code execution risk when restoring malformed backup file from Moodle 1.9
MSA-22-0025: Minor SQL injection risk in admin user browsing
MSA-22-0026: No groups filtering in H5P activity attempts report
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 3.9.17
Moodle versioni precedenti alla 3.11.10
Moodle versioni precedenti alla 4.0.4
Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.
:: Impatto
Cross-site Scripting (XSS)
Denial of Service (DoS)
Esecuzione remota di codice arbitrario (RCE)
SQL Injection (SQLi)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 3.9.17, 3.11.10 e 4.0.4
https://moodle.org/mod/forum/discuss.php?d=438139
https://moodledev.io/general/releases
https://docs.moodle.org/400/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=438392
https://moodle.org/mod/forum/discuss.php?d=438393
https://moodle.org/mod/forum/discuss.php?d=438394
https://moodle.org/mod/forum/discuss.php?d=438395
Moodle 4.0.4 release notes
https://moodledev.io/general/releases/4.0/4.0.4
Moodle 3.11.10 release notes
https://moodledev.io/general/releases/3.11/3.11.10
Moodle 3.9.17 release notes
https://moodledev.io/general/releases/3.9/3.9.17
Moodle Security
https://docs.moodle.org/400/en/Security
Mitre CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40314
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40316
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCYyl7TQ0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBC9K0Anilam4+ksnnDHVx7jrM7KmWtYy7CAJ0bwHjhwcHZ
QHu/ZKilK8wPgwwRAg==
=lHrR
-----END PGP SIGNATURE-----