Alert GCSA-23138 - Aggiornamento di sicurezza per Moodle

 




















******************************************************************

alert ID: GCSA-23138
data: 19 Ottobre 2023
titolo: Aggiornamento di sicurezza per Moodle

******************************************************************

:: Descrizione del problema

Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte varie vulnerabilita' di sicurezza.

MSA-23-0042: RCE due to LFI risk in some misconfigured shared hosting environments
MSA-23-0036: Stored XSS and potential IDOR risk in Wiki comments
MSA-23-0032: Authenticated remote code execution risk in IMSCP
MSA-23-0031: Authenticated remote code execution risk in Lesson

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

Moodle versioni precedenti alla 4.2.3
Moodle versioni precedenti alla 4.1.6 (LTS)
Moodle versioni precedenti alla 4.0.11
Moodle versioni precedenti alla 3.11.17 (Unsupported Moodle Version)
Moodle versioni precedenti alla 3.9.24 (Unsupported Moodle Version)

Le versioni di Moodle precedenti alla 3.9 non sono piu' supportate.


:: Impatto

Remote Code Execution (RCE)
Bypass delle funzionalita' di sicurezza (SFB)


:: Soluzioni

Aggiornare alle versioni piu' recenti

Moodle 4.2.3, 4.1.6, 4.0.11, 3.11.17 e 3.9.24

https://moodledev.io/general/releases
https://docs.moodle.org/402/en/Upgrading
https://download.moodle.org/releases/latest/


:: Riferimenti

Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/view.php?id=7128
https://moodle.org/mod/forum/discuss.php?d=451591&parent=1814899
https://moodle.org/mod/forum/discuss.php?d=451585&parent=1814893
https://moodle.org/mod/forum/discuss.php?d=451581&parent=1814888
https://moodle.org/mod/forum/discuss.php?d=451580&parent=1814887

Moodle 4.2.3 release notes
https://moodledev.io/general/releases/4.2/4.2.3

Moodle 4.1.6 release notes
https://moodledev.io/general/releases/4.1/4.1.6

Moodle 4.0.11 release notes
https://moodledev.io/general/releases/4.0/4.0.11

Moodle 3.11.17 release notes
https://moodledev.io/general/releases/3.11/3.11.17

Moodle 3.9.24 release notes
https://moodledev.io/general/releases/3.9/3.9.24

Moodle Security
https://docs.moodle.org/402/en/Security

CSIRT Italia
https://www.csirt.gov.it/contenuti/vulnerabilita-in-moodle-al02-231017-csirt-ita

Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5550




GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert




-----BEGIN PGP SIGNATURE-----

iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZTDa8wAKCRDBnEyTZRJg
QmqqAJ9qATaPvgz2wIpf3Li7MdjuQUGxMgCguNsF52gK7V2jV3ata2H2VCNddlA=
=Az+F
-----END PGP SIGNATURE-----