Alert GCSA-24073 - Aggiornamento di sicurezza per Moodle
******************************************************************
Alert ID: GCSA-24073
data: 17 maggio 2024
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte 14 vulnerabilita' di sicurezza, delle quali
5 di gravita' alta.
MSA-24-0007: Broken access control when setting calendar event type
MSA-24-0008: Stored XSS risk when editing another user's equation in equation editor
MSA-24-0009: Stored XSS via user's name on participants page when opening some options
MSA-24-0010: Unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php
MSA-24-0011: Stored XSS in lesson overview report via user ID number
MSA-24-0012: CSRF risk in admin preset tool management of presets
MSA-24-0013: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup
MSA-24-0014: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup
MSA-24-0015: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup
MSA-24-0016: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
MSA-24-0017: Unsanitized HTML in site log for config_log_created
MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php
MSA-24-0019: CSRF risk in analytics management of models
MSA-24-0020: ReCAPTCHA can be bypassed on the login page
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.1.10
Moodle versioni precedenti alla 4.2.7
Moodle versioni precedenti alla 4.3.4
L'editore specifica che le versioni precedenti alla 4.1.x sono vulnerabili
e non beneficeranno degli aggiornamenti di sicurezza.
:: Impatto
Cross-site Scripting (XSS)
Bypass delle funzionalita' di sicurezza (SFB)
Cross-Site Request Forgery (CSRF)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 4.3.4, 4.2.7 e 4.1.10 (LTS)
https://moodledev.io/general/releases
https://docs.moodle.org/404/en/Upgrading
https://download.moodle.org/releases/latest/
https://download.moodle.org/releases/security/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=458384
https://moodle.org/mod/forum/discuss.php?d=458385
https://moodle.org/mod/forum/discuss.php?d=458386
https://moodle.org/mod/forum/discuss.php?d=458387
https://moodle.org/mod/forum/discuss.php?d=458388
https://moodle.org/mod/forum/discuss.php?d=458389
https://moodle.org/mod/forum/discuss.php?d=458390
https://moodle.org/mod/forum/discuss.php?d=458391
https://moodle.org/mod/forum/discuss.php?d=458393
https://moodle.org/mod/forum/discuss.php?d=458394
https://moodle.org/mod/forum/discuss.php?d=458395
https://moodle.org/mod/forum/discuss.php?d=458396
https://moodle.org/mod/forum/discuss.php?d=458397
https://moodle.org/mod/forum/discuss.php?d=458398
Moodle 4.3.4 release notes
https://moodledev.io/general/releases/4.3/4.3.4
Moodle 4.2.7 release notes
https://moodledev.io/general/releases/4.2/4.2.7
Moodle 4.1.10 release notes
https://moodledev.io/general/releases/4.1/4.1.10
Moodle Security
https://docs.moodle.org/404/en/Security
Mitre CVE
I riferimenti CVE sono disponibili nell'advisory originale.
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZkdgqQ0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBC2T4AoJyWJxoKwyk3V8XpP1dbCmvf0xokAJ4s8s2yaAKg
oNgMifSQbkGvncld9Q==
=xSK+
-----END PGP SIGNATURE-----
Alert ID: GCSA-24073
data: 17 maggio 2024
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte 14 vulnerabilita' di sicurezza, delle quali
5 di gravita' alta.
MSA-24-0007: Broken access control when setting calendar event type
MSA-24-0008: Stored XSS risk when editing another user's equation in equation editor
MSA-24-0009: Stored XSS via user's name on participants page when opening some options
MSA-24-0010: Unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php
MSA-24-0011: Stored XSS in lesson overview report via user ID number
MSA-24-0012: CSRF risk in admin preset tool management of presets
MSA-24-0013: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup
MSA-24-0014: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup
MSA-24-0015: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup
MSA-24-0016: Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
MSA-24-0017: Unsanitized HTML in site log for config_log_created
MSA-24-0018: Logout CSRF in admin/tool/mfa/auth.php
MSA-24-0019: CSRF risk in analytics management of models
MSA-24-0020: ReCAPTCHA can be bypassed on the login page
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.1.10
Moodle versioni precedenti alla 4.2.7
Moodle versioni precedenti alla 4.3.4
L'editore specifica che le versioni precedenti alla 4.1.x sono vulnerabili
e non beneficeranno degli aggiornamenti di sicurezza.
:: Impatto
Cross-site Scripting (XSS)
Bypass delle funzionalita' di sicurezza (SFB)
Cross-Site Request Forgery (CSRF)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 4.3.4, 4.2.7 e 4.1.10 (LTS)
https://moodledev.io/general/releases
https://docs.moodle.org/404/en/Upgrading
https://download.moodle.org/releases/latest/
https://download.moodle.org/releases/security/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=458384
https://moodle.org/mod/forum/discuss.php?d=458385
https://moodle.org/mod/forum/discuss.php?d=458386
https://moodle.org/mod/forum/discuss.php?d=458387
https://moodle.org/mod/forum/discuss.php?d=458388
https://moodle.org/mod/forum/discuss.php?d=458389
https://moodle.org/mod/forum/discuss.php?d=458390
https://moodle.org/mod/forum/discuss.php?d=458391
https://moodle.org/mod/forum/discuss.php?d=458393
https://moodle.org/mod/forum/discuss.php?d=458394
https://moodle.org/mod/forum/discuss.php?d=458395
https://moodle.org/mod/forum/discuss.php?d=458396
https://moodle.org/mod/forum/discuss.php?d=458397
https://moodle.org/mod/forum/discuss.php?d=458398
Moodle 4.3.4 release notes
https://moodledev.io/general/releases/4.3/4.3.4
Moodle 4.2.7 release notes
https://moodledev.io/general/releases/4.2/4.2.7
Moodle 4.1.10 release notes
https://moodledev.io/general/releases/4.1/4.1.10
Moodle Security
https://docs.moodle.org/404/en/Security
Mitre CVE
I riferimenti CVE sono disponibili nell'advisory originale.
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZkdgqQ0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBC2T4AoJyWJxoKwyk3V8XpP1dbCmvf0xokAJ4s8s2yaAKg
oNgMifSQbkGvncld9Q==
=xSK+
-----END PGP SIGNATURE-----