Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3890 Moodle security updates 16 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-43560 CVE-2021-43559 CVE-2021-43558 CVE-2021-3943 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=429095&parent=1726798 https://moodle.org/mod/forum/discuss.php?d=429096&parent=1726799 https://moodle.org/mod/forum/discuss.php?d=429097&parent=1726802 https://moodle.org/mod/forum/discuss.php?d=429099&parent=1726805 https://moodle.org/mod/forum/discuss.php?d=429100&parent=1726807 Comment: This bulletin contains five (5) Moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-21-0038: Remote code execution risk when restoring malformed backup file A remote code execution risk when restoring backup files was identified. Severity/Risk: Serious Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: Paul Holden CVE identifier: CVE-2021-3943 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70823 Tracker issue: MDL-70823 Remote code execution risk when restoring malformed backup file - - -------------------------------------------------------------------------------- MSA-21-0039: Upgrade moodle-mlbackend-python and update its reference in /lib/ mlbackend/python/classes/processor.php (upstream) The upstream Moodle machine learning backend and its reference in /lib/ mlbackend/python/classes/processor.php were upgraded, which includes some security updates. Please note: If you are using Moodle Analytics, an upgrade to the mlbackend is required. See the Analytics settings documentation for more information about required versions and how to upgrade. Severity/Risk: Minor Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: Sara Arjona CVE identifier: N/A Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70887 Tracker issue: MDL-70887 Upgrade moodle-mlbackend-python and update its reference in /lib/mlbackend/python/classes/processor.php (upstream) - - -------------------------------------------------------------------------------- MSA-21-0040: Reflected XSS in filetype admin tool A URL parameter in the filetype site administrator tool required extra sanitizing to prevent a reflected XSS risk. Severity/Risk: Serious Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: starlabs_sg CVE identifier: CVE-2021-43558 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72571 Tracker issue: MDL-72571 Reflected XSS in filetype admin tool - - -------------------------------------------------------------------------------- MSA-21-0041: CSRF risk on delete related badge feature The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk. Severity/Risk: Serious Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: ostapbender CVE identifier: CVE-2021-43559 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72370 Tracker issue: MDL-72370 CSRF risk on delete related badge feature - - -------------------------------------------------------------------------------- MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events Insufficient capability checks made it possible to fetch other users' calendar action events. Severity/Risk: Minor Versions affected: 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions Versions fixed: 3.11.4, 3.10.8 and 3.9.11 Reported by: 0xkasper CVE identifier: CVE-2021-43560 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918 Tracker issue: MDL-71918 IDOR in a calendar web service allows fetching of other users' action events - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZMAbONLKJtyKPYoAQioFRAAr6hYN/ewE5r/4YtctZBvT3Obtw2xFO5W 0pJ7KC0hVRF1XEckZyD6yubwANbdYRAjAEzB4n74wTZb1/AZQYTzoZcRlYxqC3De cnNOuH9WdzrbM53Y/GoIQiKb9IPc36soDW2c4Bb6zlRjfa6SHGu+tWq5jzkFGE7W GGJOQZOykEYYKPF4ADUwRlstY/uVCs16+RaZF4zVVEAuoKE1h954iyV7m+7MHW0R mg3tZfHQlXdkPiNnX5eRCjRGJ2Azcs7GvBrgus6DKlrU8JfhmxJnFKQHUGiVvxzJ HZ9Gu2oarcW8lLbAxlX7zeyKddRMXAtOvDSKhyhLMJ8n4+BWYO2AFn+lPv8OWayf mQ7jadKZ+5MqiPSTbcHkaA3IDkHH346vE/JLhchrq6hX3/Mt0Z4x/BR5JTtjE0o5 seYxHivI/mOYWzq+GJQePddiCQ4O7O9X1ICiMxSy8Y8iqogLgnUbPzRhDrDMOFsA 0seRBmSBoTy8GgmCnZLIgmUaOhimVAXgPeFDYj57pcu4oazj9FHvWOTLOH9jpc0U aKgX+nru50ljz/j61o6qfMAHwD1wd82hZcBR1I0QNZwFQvMAaPEEiThL5HmPo0Y7 l5yyiw+qDPS7bx+mcthLCBv2j6BOSmEeMcWIZEdt9Hxe7AsTxDXIV3wOnpzM7ACl nH3ghO4fcDA= =9v/B -----END PGP SIGNATURE-----