Alert GCSA-25055 - Aggiornamento di sicurezza per Moodle
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
******************************************************************
alert ID: GCSA-25055
data: 23 aprile 2025
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte varie vulnerabilita' di sicurezza.
MSA-25-0013: Remote code execution risk via MimeTeX command (upstream)
MSA-25-0014: User DoS and name disclosure risks via IDOR in MFA email factor revoke action
MSA-25-0015: Some user data available before completing second factor with MFA enabled
MSA-25-0016: Assignment submissions search on anonymous submissions reveals student identities
MSA-25-0017: Self enrolment available before completing second factor with MFA enabled
MSA-25-0018: CSRF risk in user tours manager allows tour duplication
MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds
MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter
MSA-25-0021: CSRF risk in Brickfield tool's analysis request action
MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users
MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository
MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
MSA-25-0025: Reflected XSS risk in policy tool
MSA-25-0026: AJAX section delete does not respect course_can_delete_section()
MSA-25-0027: IDOR in messaging web service allows access to some user details
MSA-25-0028: IDOR when accessing the cohorts report
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.5.4
Moodle versioni precedenti alla 4.4.8
Moodle versioni precedenti alla 4.3.12
Moodle versioni precedenti alla 4.1.18
L'editore specifica che le versioni precedenti alla 4.1.x sono vulnerabili
e non beneficeranno degli aggiornamenti di sicurezza.
:: Impatto
Accesso a dati riservati (ID)
Bypass delle funzionalita' di sicurezza (SFB)
Denial of Service (DoS)
Esecuzione remota di codice arbitrario (RCE)
Cross-site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
:: Soluzioni
Anche se sono state rilasciate nuove versioni 4.x.x
il produttore suggerisce di aggiornare alla versione 5.0 di Moodle.
https://docs.moodle.org/500/en/Upgrading
https://moodledev.io/general/releases/5.0
Per la versione 4.3.12 il supporto e' terminato ad aprile 2025
e non ricevera' ulteriori correzioni per i rischi di sicurezza.
Le versioni 4.4.8 e 4.1.18 non sono piu' supportate per la correzione di bug generali.
https://moodledev.io/general/releases
https://download.moodle.org/releases/latest/
https://download.moodle.org/releases/security/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=467592
https://moodle.org/mod/forum/discuss.php?d=467593
https://moodle.org/mod/forum/discuss.php?d=467594
https://moodle.org/mod/forum/discuss.php?d=467595
https://moodle.org/mod/forum/discuss.php?d=467596
https://moodle.org/mod/forum/discuss.php?d=467597
https://moodle.org/mod/forum/discuss.php?d=467598
https://moodle.org/mod/forum/discuss.php?d=467599
https://moodle.org/mod/forum/discuss.php?d=467600
https://moodle.org/mod/forum/discuss.php?d=467601
https://moodle.org/mod/forum/discuss.php?d=467602
https://moodle.org/mod/forum/discuss.php?d=467603
https://moodle.org/mod/forum/discuss.php?d=467604
https://moodle.org/mod/forum/discuss.php?d=467605
https://moodle.org/mod/forum/discuss.php?d=467606
https://moodle.org/mod/forum/discuss.php?d=467607
Moodle 4.5.4 release notes
https://moodledev.io/general/releases/4.5/4.5.4
Moodle 4.4.8 release notes
https://moodledev.io/general/releases/4.4/4.4.8
Moodle 4.3.12 release notes
https://moodledev.io/general/releases/4.3/4.3.12
Moodle 4.1.18 release notes
https://moodledev.io/general/releases/4.1/4.1.18
Moodle Security
https://docs.moodle.org/500/en/Security
Riferimenti CVE
I riferimenti CVE sono disponibili negli advisory originali.
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCaAiniA0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCZhMAoLtTQqeyvq2RTPkJrWBytlPTgXBfAJ4qxu3kLvx2
nSooZvHjcPQOrPbdhQ==
=zVMb
-----END PGP SIGNATURE-----
Hash: SHA256
******************************************************************
alert ID: GCSA-25055
data: 23 aprile 2025
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle
con le quali vengono risolte varie vulnerabilita' di sicurezza.
MSA-25-0013: Remote code execution risk via MimeTeX command (upstream)
MSA-25-0014: User DoS and name disclosure risks via IDOR in MFA email factor revoke action
MSA-25-0015: Some user data available before completing second factor with MFA enabled
MSA-25-0016: Assignment submissions search on anonymous submissions reveals student identities
MSA-25-0017: Self enrolment available before completing second factor with MFA enabled
MSA-25-0018: CSRF risk in user tours manager allows tour duplication
MSA-25-0019: IDOR in RSS block allows access to additional RSS feeds
MSA-25-0020: mod_data edit/delete pages pass CSRF token in GET parameter
MSA-25-0021: CSRF risk in Brickfield tool's analysis request action
MSA-25-0022: IDOR in web service allows users enrolled in a course to access some details of other users
MSA-25-0023: Authenticated remote code execution risk in the Moodle LMS Dropbox repository
MSA-25-0024: Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
MSA-25-0025: Reflected XSS risk in policy tool
MSA-25-0026: AJAX section delete does not respect course_can_delete_section()
MSA-25-0027: IDOR in messaging web service allows access to some user details
MSA-25-0028: IDOR when accessing the cohorts report
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 4.5.4
Moodle versioni precedenti alla 4.4.8
Moodle versioni precedenti alla 4.3.12
Moodle versioni precedenti alla 4.1.18
L'editore specifica che le versioni precedenti alla 4.1.x sono vulnerabili
e non beneficeranno degli aggiornamenti di sicurezza.
:: Impatto
Accesso a dati riservati (ID)
Bypass delle funzionalita' di sicurezza (SFB)
Denial of Service (DoS)
Esecuzione remota di codice arbitrario (RCE)
Cross-site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
:: Soluzioni
Anche se sono state rilasciate nuove versioni 4.x.x
il produttore suggerisce di aggiornare alla versione 5.0 di Moodle.
https://docs.moodle.org/500/en/Upgrading
https://moodledev.io/general/releases/5.0
Per la versione 4.3.12 il supporto e' terminato ad aprile 2025
e non ricevera' ulteriori correzioni per i rischi di sicurezza.
Le versioni 4.4.8 e 4.1.18 non sono piu' supportate per la correzione di bug generali.
https://moodledev.io/general/releases
https://download.moodle.org/releases/latest/
https://download.moodle.org/releases/security/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=467592
https://moodle.org/mod/forum/discuss.php?d=467593
https://moodle.org/mod/forum/discuss.php?d=467594
https://moodle.org/mod/forum/discuss.php?d=467595
https://moodle.org/mod/forum/discuss.php?d=467596
https://moodle.org/mod/forum/discuss.php?d=467597
https://moodle.org/mod/forum/discuss.php?d=467598
https://moodle.org/mod/forum/discuss.php?d=467599
https://moodle.org/mod/forum/discuss.php?d=467600
https://moodle.org/mod/forum/discuss.php?d=467601
https://moodle.org/mod/forum/discuss.php?d=467602
https://moodle.org/mod/forum/discuss.php?d=467603
https://moodle.org/mod/forum/discuss.php?d=467604
https://moodle.org/mod/forum/discuss.php?d=467605
https://moodle.org/mod/forum/discuss.php?d=467606
https://moodle.org/mod/forum/discuss.php?d=467607
Moodle 4.5.4 release notes
https://moodledev.io/general/releases/4.5/4.5.4
Moodle 4.4.8 release notes
https://moodledev.io/general/releases/4.4/4.4.8
Moodle 4.3.12 release notes
https://moodledev.io/general/releases/4.3/4.3.12
Moodle 4.1.18 release notes
https://moodledev.io/general/releases/4.1/4.1.18
Moodle Security
https://docs.moodle.org/500/en/Security
Riferimenti CVE
I riferimenti CVE sono disponibili negli advisory originali.
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCaAiniA0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCZhMAoLtTQqeyvq2RTPkJrWBytlPTgXBfAJ4qxu3kLvx2
nSooZvHjcPQOrPbdhQ==
=zVMb
-----END PGP SIGNATURE-----