-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3890
                          Moodle security updates
                             16 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Moodle
Publisher:         Moodle
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
                   Reduced Security                -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-43560 CVE-2021-43559 CVE-2021-43558
                   CVE-2021-3943  

Original Bulletin: 
   https://moodle.org/mod/forum/discuss.php?d=429095&parent=1726798
   https://moodle.org/mod/forum/discuss.php?d=429096&parent=1726799
   https://moodle.org/mod/forum/discuss.php?d=429097&parent=1726802
   https://moodle.org/mod/forum/discuss.php?d=429099&parent=1726805
   https://moodle.org/mod/forum/discuss.php?d=429100&parent=1726807

Comment: This bulletin contains five (5) Moodle security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

MSA-21-0038: Remote code execution risk when restoring malformed backup file

A remote code execution risk when restoring backup files was identified.

Severity/Risk:     Serious
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier
                  unsupported versions
Versions fixed:    3.11.4, 3.10.8 and 3.9.11
Reported by:       Paul Holden
CVE identifier:    CVE-2021-3943
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70823
Tracker issue:     MDL-70823 Remote code execution risk when restoring malformed
                  backup file

- - --------------------------------------------------------------------------------

MSA-21-0039: Upgrade moodle-mlbackend-python and update its reference in /lib/
mlbackend/python/classes/processor.php (upstream)

The upstream Moodle machine learning backend and its reference in /lib/
mlbackend/python/classes/processor.php were upgraded, which includes some
security updates.

Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is
required. See the Analytics settings documentation for more information about
required versions and how to upgrade.

Severity/Risk:     Minor
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier
                  unsupported versions
Versions fixed:    3.11.4, 3.10.8 and 3.9.11
Reported by:       Sara Arjona
CVE identifier:    N/A
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70887
Tracker issue:     MDL-70887 Upgrade moodle-mlbackend-python and update its
                  reference in
                  /lib/mlbackend/python/classes/processor.php
                  (upstream)

- - --------------------------------------------------------------------------------

MSA-21-0040: Reflected XSS in filetype admin tool

A URL parameter in the filetype site administrator tool required extra
sanitizing to prevent a reflected XSS risk.

Severity/Risk:     Serious
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier
                  unsupported versions
Versions fixed:    3.11.4, 3.10.8 and 3.9.11
Reported by:       starlabs_sg
CVE identifier:    CVE-2021-43558
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72571
Tracker issue:     MDL-72571 Reflected XSS in filetype admin tool

- - --------------------------------------------------------------------------------

MSA-21-0041: CSRF risk on delete related badge feature

The "delete related badge" functionality did not include the necessary token
check to prevent a CSRF risk.

Severity/Risk:     Serious
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier
                  unsupported versions
Versions fixed:    3.11.4, 3.10.8 and 3.9.11
Reported by:       ostapbender
CVE identifier:    CVE-2021-43559
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72370
Tracker issue:     MDL-72370 CSRF risk on delete related badge feature


- - --------------------------------------------------------------------------------

MSA-21-0042: IDOR in a calendar web service allows fetching of other users'
action events

Insufficient capability checks made it possible to fetch other users' calendar
action events.

Severity/Risk:     Minor
Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier
                  unsupported versions
Versions fixed:    3.11.4, 3.10.8 and 3.9.11
Reported by:       0xkasper
CVE identifier:    CVE-2021-43560
Changes (master):  http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918
Tracker issue:     MDL-71918 IDOR in a calendar web service allows fetching of
                  other users' action events

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZMAbONLKJtyKPYoAQioFRAAr6hYN/ewE5r/4YtctZBvT3Obtw2xFO5W
0pJ7KC0hVRF1XEckZyD6yubwANbdYRAjAEzB4n74wTZb1/AZQYTzoZcRlYxqC3De
cnNOuH9WdzrbM53Y/GoIQiKb9IPc36soDW2c4Bb6zlRjfa6SHGu+tWq5jzkFGE7W
GGJOQZOykEYYKPF4ADUwRlstY/uVCs16+RaZF4zVVEAuoKE1h954iyV7m+7MHW0R
mg3tZfHQlXdkPiNnX5eRCjRGJ2Azcs7GvBrgus6DKlrU8JfhmxJnFKQHUGiVvxzJ
HZ9Gu2oarcW8lLbAxlX7zeyKddRMXAtOvDSKhyhLMJ8n4+BWYO2AFn+lPv8OWayf
mQ7jadKZ+5MqiPSTbcHkaA3IDkHH346vE/JLhchrq6hX3/Mt0Z4x/BR5JTtjE0o5
seYxHivI/mOYWzq+GJQePddiCQ4O7O9X1ICiMxSy8Y8iqogLgnUbPzRhDrDMOFsA
0seRBmSBoTy8GgmCnZLIgmUaOhimVAXgPeFDYj57pcu4oazj9FHvWOTLOH9jpc0U
aKgX+nru50ljz/j61o6qfMAHwD1wd82hZcBR1I0QNZwFQvMAaPEEiThL5HmPo0Y7
l5yyiw+qDPS7bx+mcthLCBv2j6BOSmEeMcWIZEdt9Hxe7AsTxDXIV3wOnpzM7ACl
nH3ghO4fcDA=
=9v/B
-----END PGP SIGNATURE-----