Alert GCSA-24026 - Aggiornamento di sicurezza per Moodle
******************************************************************
Alert ID: GCSA-24026
data: 22 Febbraio 2024
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte varie vulnerabilita' di sicurezza.
MSA-24-0001: Denial of service risk in file picker unzip functionality
MSA-24-0002: Forum search accepted random parameters in its URL
MSA-24-0003: H5P attempts report did not respect activity group settings
MSA-24-0004: Forum export did not respect activity group settings
MSA-24-0005: CSRF risk in Language import utility
MSA-24-0006: IDOR on dashboard comments block
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.3.3
Moodle versioni precedenti alla 4.2.6
Moodle versioni precedenti alla 4.1.9 (LTS)
:: Impatto
Denial of Service (DoS)
Bypass delle funzionalita' di sicurezza (SFB)
Rischio CSRF
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 4.3.3, 4.2.6, 4.1.9
https://moodledev.io/general/releases
https://docs.moodle.org/402/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/view.php?id=7128
https://moodle.org/mod/forum/discuss.php?d=455634
https://moodle.org/mod/forum/discuss.php?d=455635
https://moodle.org/mod/forum/discuss.php?d=455636
https://moodle.org/mod/forum/discuss.php?d=455637
https://moodle.org/mod/forum/discuss.php?d=455638
https://moodle.org/mod/forum/discuss.php?d=455641
Moodle 4.3.3 release notes
https://moodledev.io/general/releases/4.3/4.3.3
Moodle 4.2.6 release notes
https://moodledev.io/general/releases/4.2/4.2.6
Moodle 4.1.9 release notes
https://moodledev.io/general/releases/4.1/4.1.9
Moodle Security
https://docs.moodle.org/402/en/Security
CSIRT Italia
https://www.csirt.gov.it/contenuti/vulnerabilita-in-moodle-al01-240220-csirt-ita
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25983
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZdcuMAAKCRDBnEyTZRJg
QojAAJ9T1jHadxmlZWSTElwAbtKXy9+lYgCgqydoAOIdu15InkGvECBe5HLSW9s=
=v6nz
-----END PGP SIGNATURE-----
Alert ID: GCSA-24026
data: 22 Febbraio 2024
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte varie vulnerabilita' di sicurezza.
MSA-24-0001: Denial of service risk in file picker unzip functionality
MSA-24-0002: Forum search accepted random parameters in its URL
MSA-24-0003: H5P attempts report did not respect activity group settings
MSA-24-0004: Forum export did not respect activity group settings
MSA-24-0005: CSRF risk in Language import utility
MSA-24-0006: IDOR on dashboard comments block
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.3.3
Moodle versioni precedenti alla 4.2.6
Moodle versioni precedenti alla 4.1.9 (LTS)
:: Impatto
Denial of Service (DoS)
Bypass delle funzionalita' di sicurezza (SFB)
Rischio CSRF
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 4.3.3, 4.2.6, 4.1.9
https://moodledev.io/general/releases
https://docs.moodle.org/402/en/Upgrading
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/view.php?id=7128
https://moodle.org/mod/forum/discuss.php?d=455634
https://moodle.org/mod/forum/discuss.php?d=455635
https://moodle.org/mod/forum/discuss.php?d=455636
https://moodle.org/mod/forum/discuss.php?d=455637
https://moodle.org/mod/forum/discuss.php?d=455638
https://moodle.org/mod/forum/discuss.php?d=455641
Moodle 4.3.3 release notes
https://moodledev.io/general/releases/4.3/4.3.3
Moodle 4.2.6 release notes
https://moodledev.io/general/releases/4.2/4.2.6
Moodle 4.1.9 release notes
https://moodledev.io/general/releases/4.1/4.1.9
Moodle Security
https://docs.moodle.org/402/en/Security
CSIRT Italia
https://www.csirt.gov.it/contenuti/vulnerabilita-in-moodle-al01-240220-csirt-ita
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25980
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25982
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25983
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZdcuMAAKCRDBnEyTZRJg
QojAAJ9T1jHadxmlZWSTElwAbtKXy9+lYgCgqydoAOIdu15InkGvECBe5HLSW9s=
=v6nz
-----END PGP SIGNATURE-----