Helen Foster

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.3 through 3.3.4 Moodle versions 3.4 through 3.4.1 **Description** A flaw was found in the authentication process. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site. **Recommendations** For Moodle versions 3.3 through 3.3.4, update to a version that fixes this issue. For Moodle versions 3.4 through 3.4.1, update to a version that fixes this issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.10 and earlier Moodle versions 2.2.x before 2.2.8 Moodle versions 2.3.x before 2.3.5 Moodle versions 2.4.x before 2.4.2 **Description** The issue allows remote attackers to obtain sensitive course-profile information by leveraging the guest role. This is demonstrated by a Google search, indicating potential real-world exploitation. The `user/view.php` file does not enforce the `forceloginforprofiles` setting, leading to the exposure of sensitive information. **Recommendations** For Moodle versions 2.1.10 and earlier, update to a version later than 2.1.10 to resolve the issue. For Moodle versions 2.2.x before 2.2.8, update to version 2.2.8 or later. For Moodle versions 2.3.x before 2.3.5, update to version 2.3.5 or later. For Moodle versions 2.4.x before 2.4.2, update to version 2.4.2 or later. As a temporary workaround, consider restricting access to the `user/view.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.3 Moodle versions 2.1.x through 2.1.0 **Description** The issue allows remote attackers to post a comment by leveraging the guest role and operating on a front-page activity, due to improper restriction of comment capabilities in the comment/lib.php file. **Recommendations** For Moodle versions 2.0.x through 2.0.3, update to version 2.0.4 or later. For Moodle versions 2.1.x through 2.1.0, update to version 2.1.1 or later.