Alert GCSA-23103 - Aggiornamento di sicurezza per Moodle
alert ID: GCSA-23103
data: 21 agosto 2023
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte varie vulnerabilita' di sicurezza.
MSA-23-0019: Proxy bypass risk due to insufficient validation
MSA-23-0020: Remote code execution risk when parsing malformed file repository reference
MSA-23-0021: Some block permissions on Dashboard not respected
MSA-23-0022: SQL injection risk in grader report sorting
MSA-23-0023: Stored self-XSS escalated to stored XSS via OAuth 2 login
MSA-23-0024: Private course participant data available from external grade report method
MSA-23-0025: phpCAS library upgraded to 1.6.0 (upstream)
MSA-23-0026: IDOR in message processor fragments allows fetching of other users' data
MSA-23-0027: JQuery UI library upgraded to 1.13.2 (upstream)
MSA-23-0028: Open redirect risk on admin view all policies page
MSA-23-0029: Competency framework tools are not restricted as intended
MSA-23-0030: Quiz sequential navigation bypass possible
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.2.2
Moodle versioni precedenti alla 4.1.5 (LTS)
Moodle versioni precedenti alla 4.0.10
Moodle versioni precedenti alla 3.11.16 (Unsupported Moodle Version)
Moodle versioni precedenti alla 3.9.23 (Unsupported Moodle Version)
Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.
:: Impatto
SQL Injection (SQLi)
Cross-site Scripting (XSS)
Bypass delle funzionalita' di sicurezza (SFB)
Accesso a dati riservati (ID)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 4.2.2, 4.1.5, 4.0.10, 3.11.16 e 3.9.23
https://moodledev.io/general/releases
https://docs.moodle.org/402/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=449640
https://moodle.org/mod/forum/discuss.php?d=449641
https://moodle.org/mod/forum/discuss.php?d=449642
https://moodle.org/mod/forum/discuss.php?d=449643
https://moodle.org/mod/forum/discuss.php?d=449644
https://moodle.org/mod/forum/discuss.php?d=449645
https://moodle.org/mod/forum/discuss.php?d=449646
https://moodle.org/mod/forum/discuss.php?d=449647
https://moodle.org/mod/forum/discuss.php?d=449648
https://moodle.org/mod/forum/discuss.php?d=449649
https://moodle.org/mod/forum/discuss.php?d=449650
https://moodle.org/mod/forum/discuss.php?d=449651
Moodle 4.2.2 release notes
https://moodledev.io/general/releases/4.2/4.2.2
Moodle 4.1.5 release notes
https://moodledev.io/general/releases/4.1/4.1.5
Moodle 4.0.10 release notes
https://moodledev.io/general/releases/4.0/4.0.10
Moodle 3.11.16 release notes
https://moodledev.io/general/releases/3.11/3.11.16
Moodle 3.9.23 release notes
https://moodledev.io/general/releases/3.9/3.9.23
Moodle Security
https://docs.moodle.org/402/en/Security
Mitre CVE
I riferimenti CVE sono disponibili nell'advisory originale.
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZOMcqw0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCtiAAnjsLi+v/gwjQkunWZiD6XWxlmM0mAKCQ5O+cmqGM
e5dsVi69TRbYzb+bnw==
=Kp/E
-----END PGP SIGNATURE-----