Andrew Davis

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.11 Moodle versions 2.8.x before 2.8.9 Moodle versions 2.9.x before 2.9.3 **Description** A cross-site request forgery (CSRF) issue affects the admin/registration/register.php file, allowing remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL. This can enable an attacker to impersonate a user during a session by sending a request with statistics to any URL. **Recommendations** For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.11, update to version 2.7.11 or later. For versions 2.8.x before 2.8.9, update to version 2.8.9 or later. For versions 2.9.x before 2.9.3, update to version 2.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.10 and earlier, 2.3.x before 2.3.7, 2.4.x before 2.4.4 **Description** The issue allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report, due to the core grade component not properly considering the existence of hidden grades. **Recommendations** For Moodle versions 2.2.10 and earlier, update to version 2.2.11 or later. For Moodle versions 2.3.x before 2.3.7, update to version 2.3.7 or later. For Moodle versions 2.4.x before 2.4.4, update to version 2.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.x through 2.2.4 Moodle versions 2.3.x through 2.3.1 **Description** The issue allows remote authenticated users to bypass intended upload-size restrictions. This is achieved by setting a -1 value in the `maxbytes` field in the `repository/repository ajax.php` file. **Recommendations** For Moodle versions 2.2.x through 2.2.4, update to version 2.2.5 or later. For Moodle versions 2.3.x through 2.3.1, update to version 2.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.6 Moodle versions 2.2.x through 2.2.3 **Description** The issue allows remote authenticated users to bypass forum-subscription requirements by leveraging the student role and unsubscribing from all forums, due to the `mod/forum/unsubscribeall.php` script not considering whether a forum is optional. **Recommendations** For Moodle versions 2.1.x through 2.1.6, update to version 2.1.7 or later. For Moodle versions 2.2.x through 2.2.3, update to version 2.2.4 or later.