Alert GCSA-22128 - Aggiornamento di sicurezza per Moodle
******************************************************************
Alert ID: GCSA-22128
data: 23 novembre 2022
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte alcune vulnerabilita' di sicurezza.
MSA-22-0028: Apply upstream security fix to VideoJS library to remove XSS risk
MSA-22-0029: Course restore - CSRF token passed in course redirect URL
MSA-22-0030: Reflected XSS risk in policy tool
MSA-22-0031: Stored XSS possible in some "social" user profile fields
MSA-22-0032: Blind SSRF risk in LTI provider library
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 3.9.18
Moodle versioni precedenti alla 3.11.11
Moodle versioni precedenti alla 4.0.5
Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.
:: Impatto
Cross-site Scripting (XSS)
Esecuzione remota di codice arbitrario (RCE)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 3.9.18, 3.11.11 e 4.0.5
https://moodledev.io/general/releases
https://docs.moodle.org/400/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=440767
https://moodle.org/mod/forum/discuss.php?d=440769
https://moodle.org/mod/forum/discuss.php?d=440770
https://moodle.org/mod/forum/discuss.php?d=440771
https://moodle.org/mod/forum/discuss.php?d=440772
Moodle 4.0.5 release notes
https://moodledev.io/general/releases/4.0/4.0.5
Moodle 3.11.11 release notes
https://moodledev.io/general/releases/3.11/3.11.11
Moodle 3.9.18 release notes
https://moodledev.io/general/releases/3.9/3.9.18
Moodle Security
https://docs.moodle.org/400/en/Security
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45152
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCY34oww0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCMWgAniDDmIFd+/nU5W88A4QnVcEWW1d8AJ9T19fRubVU
nVowbg/+F0KqksXUSA==
=Fmn7
-----END PGP SIGNATURE-----
Alert ID: GCSA-22128
data: 23 novembre 2022
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte alcune vulnerabilita' di sicurezza.
MSA-22-0028: Apply upstream security fix to VideoJS library to remove XSS risk
MSA-22-0029: Course restore - CSRF token passed in course redirect URL
MSA-22-0030: Reflected XSS risk in policy tool
MSA-22-0031: Stored XSS possible in some "social" user profile fields
MSA-22-0032: Blind SSRF risk in LTI provider library
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 3.9.18
Moodle versioni precedenti alla 3.11.11
Moodle versioni precedenti alla 4.0.5
Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.
:: Impatto
Cross-site Scripting (XSS)
Esecuzione remota di codice arbitrario (RCE)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 3.9.18, 3.11.11 e 4.0.5
https://moodledev.io/general/releases
https://docs.moodle.org/400/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=440767
https://moodle.org/mod/forum/discuss.php?d=440769
https://moodle.org/mod/forum/discuss.php?d=440770
https://moodle.org/mod/forum/discuss.php?d=440771
https://moodle.org/mod/forum/discuss.php?d=440772
Moodle 4.0.5 release notes
https://moodledev.io/general/releases/4.0/4.0.5
Moodle 3.11.11 release notes
https://moodledev.io/general/releases/3.11/3.11.11
Moodle 3.9.18 release notes
https://moodledev.io/general/releases/3.9/3.9.18
Moodle Security
https://docs.moodle.org/400/en/Security
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45152
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCY34oww0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCMWgAniDDmIFd+/nU5W88A4QnVcEWW1d8AJ9T19fRubVU
nVowbg/+F0KqksXUSA==
=Fmn7
-----END PGP SIGNATURE-----