Researchers found new security vulnerabilities in open-source e-learning platform Moodle that could allow an attacker to take over a database and obtain sensitive information. While patches have been released, Moodle users are urged to immediately follow through with the updates.
Moodle is a tool that enables institutions to create online learning materials for students. Following the detection of this vulnerability in Moodle, several changes have been made to the platform to mitigate the risk.
Recent research in Moodle identified several security risks that have since been addressed. However, vulnerability — CVE-2023-1402 and CVE-2023-28336 – may need the user’s immediate attention as these allow unauthorized access.
CVE-2023-1402 may display roles to users who don’t have access to them and CVE-2023-28336 may allow teachers to access the names of users they could not otherwise access.
The issue impacted versions 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19, and earlier unsupported versions. Changes have been made to versions 4.1.2, 4.0.7, 3.11.13, and 3.9.20 to mitigate this risk and enhance the security of Moodle.
More vulnerabilities in E-learning Platform Moodle
Moodle has published the list of vulnerabilities on the company’s website.
One such vulnerability involved inadequate filtering of the grade report history, which allowed teachers to view the names of users they were not authorized to access.
The security flaw impacted various versions of Moodle, including versions 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, and 3.9 to 3.9.19, as well as older unsupported versions.
The latest versions, 4.1.2, 4.0.7, 3.11.13, and 3.9.20, have undergone modifications to prevent unauthorized access.
Moodle users were also alerted of a security issue involving resetting database activity templates. Specifically, the reset link did not include the necessary token to prevent a potential Cross-Site Request Forgery (CSRF) vulnerability.
This vulnerability impacted versions 4.1 to 4.1.1; a security patch has since been applied to version 4.1.2 to address the issue.
Another security risk involved the ability of authenticated users to obtain other users’ names through the learning plans page.
Versions 4.1 to 4.1.1 and 4.0 to 4.0.6 were both impacted by this risk. Fortunately, changes were made to versions 4.1.2 and 4.0.7 to mitigate this risk and prevent unauthorized access to user names.
Moodle’s Mustache pix helper recently raised security concerns due to a potential Mustache injection risk when combined with user input. However, this risk was not exploited or implemented in the core LMS.
Various versions of Moodle, including 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19, and earlier unsupported versions, were affected. Changes have been made to versions 4.1.2, 4.0.7, 3.11.13, and 3.9.20 to mitigate this risk and ensure the safety of users.
In addition, enabling the algebra filter without proper functionality presented a potential Cross-Site Scripting (XSS) risk for Moodle users.
This risk also affected versions 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19, and earlier unsupported versions. To avoid this risk, users should verify that the algebra filter is correctly configured before enabling it.
While Moodle is a popular and useful platform for creating online learning materials, staying up-to-date with the latest security patches and ensuring the platform is configured correctly to mitigate risks is essential.