Alert GCSA-22128 - Aggiornamento di sicurezza per Moodle


******************************************************************

Alert ID: GCSA-22128
data: 23 novembre 2022
titolo: Aggiornamento di sicurezza per Moodle

******************************************************************

:: Descrizione del problema

Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte alcune vulnerabilita' di sicurezza.

MSA-22-0028: Apply upstream security fix to VideoJS library to remove XSS risk
MSA-22-0029: Course restore - CSRF token passed in course redirect URL
MSA-22-0030: Reflected XSS risk in policy tool
MSA-22-0031: Stored XSS possible in some "social" user profile fields
MSA-22-0032: Blind SSRF risk in LTI provider library

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

Moodle versioni precedenti alla 3.9.18
Moodle versioni precedenti alla 3.11.11
Moodle versioni precedenti alla 4.0.5

Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.


:: Impatto

Cross-site Scripting (XSS)
Esecuzione remota di codice arbitrario (RCE)


:: Soluzioni

Aggiornare alle versioni piu' recenti

Moodle 3.9.18, 3.11.11 e 4.0.5

https://moodledev.io/general/releases
https://docs.moodle.org/400/en/Upgrading
https://download.moodle.org/releases/latest/


:: Riferimenti

Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=440767
https://moodle.org/mod/forum/discuss.php?d=440769
https://moodle.org/mod/forum/discuss.php?d=440770
https://moodle.org/mod/forum/discuss.php?d=440771
https://moodle.org/mod/forum/discuss.php?d=440772

Moodle 4.0.5 release notes
https://moodledev.io/general/releases/4.0/4.0.5

Moodle 3.11.11 release notes
https://moodledev.io/general/releases/3.11/3.11.11

Moodle 3.9.18 release notes
https://moodledev.io/general/releases/3.9/3.9.18

Moodle Security
https://docs.moodle.org/400/en/Security

Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23414
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45152


GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert

-----BEGIN PGP SIGNATURE-----

iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCY34oww0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCMWgAniDDmIFd+/nU5W88A4QnVcEWW1d8AJ9T19fRubVU
nVowbg/+F0KqksXUSA==
=Fmn7
-----END PGP SIGNATURE-----