Ankit Agarwal

Name of the Vulnerable Software and Affected Versions: Moodle versions prior to 3.10.2 Moodle versions prior to 3.9.5 Moodle versions prior to 3.8.8 Moodle versions prior to 3.5.17 Description: It was possible for some users without permission to view other users' full names via the online users block in Moodle. Recommendations: For versions prior to 3.10.2, update to version 3.10.2 or later. For versions prior to 3.9.5, update to version 3.9.5 or later. For versions prior to 3.8.8, update to version 3.8.8 or later. For versions prior to 3.5.17, update to version 3.5.17 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.11 Moodle versions 2.8.x before 2.8.9 Moodle versions 2.9.x before 2.9.3 **Description** The issue is related to multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module of Moodle. These vulnerabilities can be exploited by a remote attacker to gain access to the authentication data of arbitrary users. The exploitation involves requests to specific API endpoints, such as "mod/lesson/mediafile.php" or "mod/lesson/view.php". **Recommendations** For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.11, update to version 2.7.11 or later. For versions 2.8.x before 2.8.9, update to version 2.8.9 or later. For versions 2.9.x before 2.9.3, update to version 2.9.3 or later. As a temporary workaround, consider restricting access to the "mod/lesson/mediafile.php" and "mod/lesson/view.php" API endpoints until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.5.10 Moodle versions 2.6.x through 2.6.6 Moodle versions 2.7.x through 2.7.3 Moodle versions 2.8.x through 2.8.1 **Description** The issue is related to cross-site request forgery (CSRF) in the Glossary module. This can allow a remote attacker to hijack the authentication of victims. **Recommendations** For versions 2.5.x, update to version 2.5.10 or later. For versions 2.6.x, update to version 2.6.7 or later. For versions 2.7.x, update to version 2.7.4 or later. For versions 2.8.x, update to version 2.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.11 and earlier Moodle versions 2.3.x before 2.3.8 Moodle versions 2.4.x before 2.4.5 Moodle versions 2.5.x before 2.5.1 **Description** The issue allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document, specifically affecting the mod/lesson/pagetypes/matching.php file. **Recommendations** For Moodle versions 2.2.11 and earlier, update to a version later than 2.2.11. For Moodle versions 2.3.x before 2.3.8, update to version 2.3.8 or later. For Moodle versions 2.4.x before 2.4.5, update to version 2.4.5 or later. For Moodle versions 2.5.x before 2.5.1, update to version 2.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.4.0 through 2.4.1 **Description** The issue allows remote authenticated users to obtain potentially sensitive information by leveraging the student role, due to the failure of calendar/managesubscriptions.php to consider capability requirements before displaying calendar subscriptions. **Recommendations** For Moodle versions 2.4.0 through 2.4.1, update to version 2.4.2 or later to resolve the issue.