Moodle 4.5.x < 4.5.5 Multiple Vulnerabilities

critical Web App Scanning Plugin ID 114892

Language:

Synopsis

Description

According to its self-reported version, the Moodle install hosted on the remote host is 4.1.x prior to 4.1.19, or 4.4.x prior to 4.4.9, or 4.5.x prior to 4.5.5, or 5.x prior to 5.0.1. It is, therefore, affected by multiple vulnerabilities :

- A stricter capability check was required to restrict which users can fetch other users' recently accessed courses information.

- Insufficient authorisation checks could result in users being able to view BigBlueButton recordings they did not have permission to access.

- The "move up" and "move down" actions in backpack management for badges did not include the necessary token to prevent a CSRF risk.

- Insufficient state and capability checks resulted in some details of hidden courses (such as course name, description and teachers) being available to users who did not have permission to access them.

- A DNS rebind risk in the way cURL requests were handled could result in an SSRF risk, due to the possibility of cURL blocked hosts / allowed ports site configurations being bypassed.

- The upstream ADOdb library contained an SQL injection risk in the pg_insert_id() method. It is important to note that the core Moodle LMS was NOT affected by this vulnerability, however as a precaution, this library has been upgraded to remove the risk entirely, in case any third party code/plugins uses the vulnerable code.

- Additional cache controls were required to prevent web browsers caching a user's password on the login page (note accessing this would require access to the web browser on the device where the user had logged in).

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.