MSA-21-0019: Upgrade H5P PHP library to latest minor version (upstream)

by Michael Hawkins.  

The H5P PHP library included with Moodle has been upgraded to the latest minor version, which includes a security fix.


...
Severity/Risk:Serious
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed:3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:Sara Arjona
CVE identifier:N/A
Changes (master):http://git.moodle.or
Leer más...

MSA-21-0018: Reflected XSS and open redirect in LTI authorization endpoint

by Michael Hawkins.  

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions
Versions fixed:3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:Jordan Tomkinson
CVE
Leer más...

MSA-21-0017: Last app access time is visible to non-site-admins on user profile page

by Michael Hawkins.  

The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default).


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.3
Versions fixed:3.11 and 3.10.4
Reported by:Strifel
CVE identifier:CVE-2021-32477
Changes (master):h
Leer más...

MSA-21-0016: Files API should mitigate denial-of-service risk when adding to the draft file area

by Michael Hawkins.  

A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits.


...
Severity/Risk:Serious
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed:3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by:Ben Samtleben
CVE
Leer más...