Andrew Nicols

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.5 through 3.5.7 Moodle versions 3.6 through 3.6.5 Moodle versions 3.7 through 3.7.1 **Description** A vulnerability was found where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. This occurred because Mustache helper tags included in template contexts were not being escaped before the context was injected into another Mustache helper, which could result in script injection in some templates. **Recommendations** For versions 3.5 through 3.5.7, update to a version later than 3.5.7 to resolve the issue. For versions 3.6 through 3.6.5, update to a version later than 3.6.5 to resolve the issue. For versions 3.7 through 3.7.1, update to a version later than 3.7.1 to resolve the issue. As a temporary workaround, consider restricting the use of recursive rendering in Mustache templates to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.7 through 3.7.1 Moodle versions 3.6 through 3.6.5 Moodle versions 3.5 through 3.5.7 Moodle versions prior to 3.5 **Description** A vulnerability was found in Moodle where activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode. **Recommendations** For Moodle versions 3.7 through 3.7.1, update to a version outside of this range to resolve the issue. For Moodle versions 3.6 through 3.6.5, update to a version outside of this range to resolve the issue. For Moodle versions 3.5 through 3.5.7, update to a version outside of this range to resolve the issue. For Moodle versions prior to 3.5, update to a version 3.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.7 through 3.7.1 Moodle versions 3.6 through 3.6.5 Moodle versions 3.5 through 3.5.7 Moodle versions prior to 3.5 **Description** A vulnerability was found in Moodle where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role. **Recommendations** For versions 3.7 through 3.7.1, update to a version outside of this range to resolve the issue. For versions 3.6 through 3.6.5, update to a version outside of this range to resolve the issue. For versions 3.5 through 3.5.7, update to a version outside of this range to resolve the issue. For versions prior to 3.5, update to a version 3.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 3.6.3 **Description** A vulnerability was found where the `get with capability join` and `get users by capability` functions did not account for context freezing when checking user capabilities. **Recommendations** For versions prior to 3.6.3, update to version 3.6.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.7 through 2.7.13 Moodle versions 2.8 through 2.8.11 Moodle versions 2.9 through 2.9.5 Moodle versions 3.0 through 3.0.3 **Description** A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack user authentication for requests that mark forum posts as read. **Recommendations** For Moodle versions 2.7 through 2.7.13, update to a version that includes the fix for this issue. For Moodle versions 2.8 through 2.8.11, update to a version that includes the fix for this issue. For Moodle versions 2.9 through 2.9.5, update to a version that includes the fix for this issue. For Moodle versions 3.0 through 3.0.3, update to a version that includes the fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.x through 3.x **Description** The issue is related to insufficient access control in the course notes viewing capability, which is checked in the wrong context. This can potentially allow a remote attacker to elevate their privileges. **Recommendations** For Moodle versions 2.x through 3.x, update to a version where the access control for course notes viewing is properly implemented in the correct context. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.11 Moodle versions 2.8.x before 2.8.9 Moodle versions 2.9.x before 2.9.3 **Description** The issue is related to insufficient restriction of the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. This can be exploited by a remote attacker to perform XSS attacks. **Recommendations** For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.11, update to version 2.7.11 or later. For versions 2.8.x before 2.8.9, update to version 2.8.9 or later. For versions 2.9.x before 2.9.3, update to version 2.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Flowplayer Flash versions prior to 3.2.17 Moodle versions prior to 2.3.11 Moodle versions 2.4.x prior to 2.4.9 Moodle versions 2.5.x prior to 2.5.5 Moodle versions 2.6.x prior to 2.6.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML by providing a crafted `playerId` or referencing an external domain. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For Flowplayer Flash versions prior to 3.2.17, update to version 3.2.17 or later. For Moodle versions prior to 2.3.11, update to version 2.3.11 or later. For Moodle versions 2.4.x prior to 2.4.9, update to version 2.4.9 or later. For Moodle versions 2.5.x prior to 2.5.5, update to version 2.5.5 or later. For Moodle versions 2.6.x prior to 2.6.2, update to version 2.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.10 and earlier, 2.2.x through 2.2.10, 2.3.x through 2.3.7, 2.4.x through 2.4.4, 2.5.x through 2.5.0 Yahoo! YUI versions 3.5.0 through 3.9.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. This is due to a vulnerability in the flashuploader.swf file within the Uploader component. **Recommendations** For Moodle versions 2.1.10 and earlier, update to version 2.1.11 or later. For Moodle versions 2.2.x through 2.2.10, update to version 2.2.11 or later. For Moodle versions 2.3.x through 2.3.7, update to version 2.3.8 or later. For Moodle versions 2.4.x through 2.4.4, update to version 2.4.5 or later. For Moodle versions 2.5.x through 2.5.0, update to version 2.5.1 or later. For Yahoo! YUI versions 3.5.0 through 3.9.1, consider disabling the flashuploader.swf file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.10 and earlier, 2.2.x through 2.2.10, 2.3.x through 2.3.7, 2.4.x through 2.4.4, 2.5.x through 2.5.0 Yahoo! YUI versions 3.2.0 through 3.9.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. This is due to a vulnerability in the uploader.swf component of Yahoo! YUI. **Recommendations** For Moodle versions 2.1.10 and earlier, update to version 2.1.11 or later. For Moodle versions 2.2.x through 2.2.10, update to version 2.2.11 or later. For Moodle versions 2.3.x through 2.3.7, update to version 2.3.8 or later. For Moodle versions 2.4.x through 2.4.4, update to version 2.4.5 or later. For Moodle versions 2.5.x through 2.5.0, update to version 2.5.1 or later. For Yahoo! YUI versions 3.2.0 through 3.9.1, consider disabling the uploader.swf component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.1.10 Moodle versions 2.2.x before 2.2.11 Moodle versions 2.3.x before 2.3.8 Moodle versions 2.4.x before 2.4.5 Moodle versions 2.5.x before 2.5.1 Yahoo! YUI version 3.10.2 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. This occurs due to a regression. **Recommendations** For Moodle versions prior to 2.1.10, update to version 2.1.10 or later. For Moodle versions 2.2.x before 2.2.11, update to version 2.2.11 or later. For Moodle versions 2.3.x before 2.3.8, update to version 2.3.8 or later. For Moodle versions 2.4.x before 2.4.5, update to version 2.4.5 or later. For Moodle versions 2.5.x before 2.5.1, update to version 2.5.1 or later. For Yahoo! YUI version 3.10.2, consider disabling the io.swf component in the IO Utility until a patch is available.

**Name of the Vulnerable Software and Affected Versions** YUI versions 3.0.0 through 3.9.1 Moodle versions prior to 2.1.10 Moodle versions 2.2.x prior to 2.2.11 Moodle versions 2.3.x prior to 2.3.8 Moodle versions 2.4.x prior to 2.4.5 Moodle versions 2.5.x prior to 2.5.1 **Description** A cross-site scripting (XSS) issue exists in the IO Utility component, specifically in io.swf, allowing remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. This affects various products, including Moodle, that utilize YUI. The `uploader.swf` and `io.swf` utilities are vulnerable to script injection in the URL. **Recommendations** For YUI versions 3.0.0 through 3.9.1: Delete self-hosted copies of the vulnerable files if not in use, use the Yahoo! CDN hosted files, or use the patched files provided by YUI. For Moodle versions prior to 2.1.10: Update to version 2.1.10 or later. For Moodle versions 2.2.x prior to 2.2.11: Update to version 2.2.11 or later. For Moodle versions 2.3.x prior to 2.3.8: Update to version 2.3.8 or later. For Moodle versions 2.4.x prior to 2.4.5: Update to version 2.4.5 or later. For Moodle versions 2.5.x prior to 2.5.1: Update to version 2.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0 through 2.1.10 Moodle versions 2.2.x through 2.2.7 Moodle versions 2.3.x through 2.3.4 Moodle versions 2.4.x through 2.4.1 **Description** The issue allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the `login as` feature. **Recommendations** For versions 2.0 through 2.1.10, update to a version after 2.1.10 to resolve the issue. For versions 2.2.x through 2.2.7, update to version 2.2.8 or later to resolve the issue. For versions 2.3.x through 2.3.4, update to version 2.3.5 or later to resolve the issue. For versions 2.4.x through 2.4.1, update to version 2.4.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.x through 2.2.6 Moodle versions 2.3.x through 2.3.3 Moodle versions 2.4.x through 2.4.0 **Description** The issue affects the messaging system in Moodle, specifically in the user/messageselect.php file. It allows remote attackers to hijack the authentication of arbitrary users for requests that send course messages due to multiple cross-site request forgery (CSRF) vulnerabilities. **Recommendations** For Moodle versions 2.2.x through 2.2.6, update to version 2.2.7 or later. For Moodle versions 2.3.x through 2.3.3, update to version 2.3.4 or later. For Moodle versions 2.4.x through 2.4.0, update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.6 Moodle versions 2.2.x through 2.2.3 **Description** The issue concerns the improper implementation of access restrictions in a Q&A forum, allowing remote authenticated users with the student role to bypass intended restrictions by reading the RSS feed for a forum. **Recommendations** For Moodle versions 2.1.x through 2.1.6, update to version 2.1.7 or later. For Moodle versions 2.2.x through 2.2.3, update to version 2.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.x through 2.2.3 Moodle versions 2.3.x through 2.3.0 **Description** The issue is related to the `is enrolled` function in `lib/accesslib.php`, which does not properly interact with the caching feature. This might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. **Recommendations** For Moodle versions 2.2.x through 2.2.3, update to version 2.2.4 or later. For Moodle versions 2.3.x through 2.3.0, update to version 2.3.1 or later.