Juan Leyva

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue concerns the generation of unique keys for QR login and auto-login. Currently, the same key can be used interchangeably between the two, which is insecure. A unique key should be generated for each to prevent this. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.6 through 3.6.6 Moodle versions 3.7 through 3.7.2 **Description** A vulnerability was found where tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. To access files, a user would need to know the file path and their token. **Recommendations** For Moodle versions 3.6 through 3.6.6, update to version 3.6.7 or later. For Moodle versions 3.7 through 3.7.2, update to version 3.7.3 or later. As a temporary workaround, consider restricting access to email notifications and inline attachments for inactive user accounts until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 3.6.3 Moodle versions prior to 3.5.5 Moodle versions prior to 3.4.8 **Description** A vulnerability was found where permissions were not correctly checked before loading event information into the calendar's edit event modal popup. This allowed logged in non-guest users to view unauthorized calendar events, although it was read-only access and users could not edit the events. **Recommendations** For versions prior to 3.6.3, update to version 3.6.3 or later. For versions prior to 3.5.5, update to version 3.5.5 or later. For versions prior to 3.4.8, update to version 3.4.8 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.x **Description** The issue allows teachers to view details about users in groups they cannot access through various course reports. **Recommendations** For Moodle versions 3.x, update to a version where this issue is resolved, or consider restricting access to sensitive course reports until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.x through 3.x **Description** The issue concerns the failure to invalidate web service tokens when a user's password is changed or forced to be changed. **Recommendations** For Moodle versions 2.x through 3.x, consider manually revoking and reissuing web service tokens after a password change to prevent unauthorized access until a proper fix is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.x through 3.x **Description** The issue is related to insufficient access control in the administration service of the Moodle learning management system. This can potentially allow a remote attacker to compromise the confidentiality of information. Non-admin site managers may accidentally edit admin accounts via web services. **Recommendations** For Moodle versions 2.x through 3.x, restrict access to web services for non-admin site managers to prevent accidental editing of admin accounts. As a temporary workaround, consider disabling web services for non-admin site managers until a proper fix is implemented.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, 3.0.x before 3.0.3 **Description** The issue allows remote authenticated users to obtain sensitive information via a web-service request. This occurs because the `calendar/externallib.php` file provides calendar-event data without considering whether an activity is hidden. **Recommendations** For versions 2.6.11 and earlier, update to version 2.7.13 or later. For versions 2.7.x before 2.7.13, update to version 2.7.13 or later. For versions 2.8.x before 2.8.11, update to version 2.8.11 or later. For versions 2.9.x before 2.9.5, update to version 2.9.5 or later. For versions 3.0.x before 3.0.3, update to version 3.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.13 Moodle versions 2.8.x before 2.8.11 Moodle versions 2.9.x before 2.9.5 Moodle versions 3.0.x before 3.0.3 **Description** The issue is related to insufficient access control in the `save submission` function, allowing remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request. This can be exploited by a remote attacker to circumvent existing access restrictions. **Recommendations** For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.13, update to version 2.7.13 or later. For versions 2.8.x before 2.8.11, update to version 2.8.11 or later. For versions 2.9.x before 2.9.5, update to version 2.9.5 or later. For versions 3.0.x before 3.0.3, update to version 3.0.3 or later. As a temporary workaround, consider restricting the use of the `save submission` function in the `mod/assign/externallib.php` file to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.9.x through 2.9.0 **Description** The issue is related to insufficient access control in the mod/forum/post.php function of the Moodle learning management system. This can be exploited by a remote attacker to bypass existing access restrictions by leveraging group authorization. The problem arises because the `mod/forum:canposttomygroups` capability is not properly considered before authorizing certain actions, such as "Post a copy to all groups". **Recommendations** For Moodle versions 2.9.x through 2.9.0, update to version 2.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `mod/forum/post.php` function to minimize the risk of exploitation. Additionally, review and adjust group authorization settings to ensure that access restrictions are properly enforced.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, 3.0.x before 3.0.2 **Description** The issue is related to the core enrol get course enrolment methods and enrol self get instance info web services in Moodle, which do not consider the moodle/course:viewhiddencourses capability. This allows remote authenticated users to obtain sensitive information via a web-service request. The vulnerability is associated with insufficient access control, enabling a remote attacker to gain confidential information through a web service request. **Recommendations** For versions 2.6.11 and earlier, update to a version later than 2.6.11 to resolve the issue. For versions 2.7.x before 2.7.12, update to version 2.7.12 or later. For versions 2.8.x before 2.8.10, update to version 2.8.10 or later. For versions 2.9.x before 2.9.4, update to version 2.9.4 or later. For versions 3.0.x before 3.0.2, update to version 3.0.2 or later. As a temporary workaround, consider restricting access to the core enrol get course enrolment methods and enrol self get instance info web services until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x through 2.7.10, 2.8.x through 2.8.8, 2.9.x through 2.9.2 **Description** The issue is related to insufficient access control in the choice module, allowing remote authenticated users to bypass intended access restrictions. This can be achieved by visiting a specific URL to add or delete responses in the closed state. **Recommendations** For versions 2.6.11 and earlier, update to version 2.6.12 or later. For versions 2.7.x through 2.7.10, update to version 2.7.11 or later. For versions 2.8.x through 2.8.8, update to version 2.8.9 or later. For versions 2.9.x through 2.9.2, update to version 2.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x through 2.7.10, 2.8.x through 2.8.8, 2.9.x through 2.9.2 **Description** The issue is related to the mod scorm component in Moodle, which mishandles availability dates. This allows remote authenticated users to bypass intended access restrictions and read SCORM contents. The vulnerability is associated with insufficient access control, enabling a remote attacker to circumvent existing access restrictions and gain access to SCORM content. **Recommendations** For versions 2.6.11 and earlier, update to version 2.6.12 or later. For versions 2.7.x through 2.7.10, update to version 2.7.11 or later. For versions 2.8.x through 2.8.8, update to version 2.8.9 or later. For versions 2.9.x through 2.9.2, update to version 2.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x prior to 2.7.10, 2.8.x prior to 2.8.8, 2.9.x prior to 2.9.2 **Description** The issue is related to inadequate access control in the rating component of the Moodle learning management system. This allows a remote attacker to obtain sensitive information by reading a rating value due to mishandled group-based authorization checks. **Recommendations** For versions 2.6.11 and earlier, update to a version later than 2.6.11. For versions 2.7.x prior to 2.7.10, update to version 2.7.10 or later. For versions 2.8.x prior to 2.8.8, update to version 2.8.8 or later. For versions 2.9.x prior to 2.9.2, update to version 2.9.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.5.9 and earlier, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 **Description** The issue is related to insufficient access control in the files/externallib.php component of the Moodle learning management system. This allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after the moodle/user:manageownfiles capability has been revoked. The vulnerability can be exploited by an attacker to circumvent access restrictions to file management using web services designed for data upload. **Recommendations** For Moodle versions 2.5.9 and earlier, update to a version later than 2.5.9 to resolve the issue. For Moodle versions 2.6.x before 2.6.11, update to version 2.6.11 or later. For Moodle versions 2.7.x before 2.7.8, update to version 2.7.8 or later. For Moodle versions 2.8.x before 2.8.6, update to version 2.8.6 or later. As a temporary workaround, consider restricting access to the `files/externallib.php` component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.5.9 and earlier, 2.6.x before 2.6.9, 2.7.x before 2.7.6, 2.8.x before 2.8.4 **Description** The issue is related to insufficient access control in the login/token.php component of the Moodle learning management system. This allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token. The vulnerability can be exploited by a remote attacker to ignore the mandatory password change. **Recommendations** For versions 2.5.9 and earlier, update to a version later than 2.5.9. For versions 2.6.x before 2.6.9, update to version 2.6.9 or later. For versions 2.7.x before 2.7.6, update to version 2.7.6 or later. For versions 2.8.x before 2.8.4, update to version 2.8.4 or later. As a temporary workaround, consider restricting access to the `login/token.php` component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.5.9 and earlier Moodle versions 2.6.x before 2.6.7 Moodle versions 2.7.x before 2.7.4 Moodle versions 2.8.x before 2.8.2 **Description** The issue is related to insufficient access control in the message/externallib.php component of the Moodle learning management system. This allows a remote authenticated user to bypass the messaging-disabled setting by sending a specially crafted web-services request. For example, this can be achieved through a people-search request. **Recommendations** For Moodle versions 2.5.9 and earlier, update to version 2.6.7 or later. For Moodle versions 2.6.x before 2.6.7, update to version 2.6.7 or later. For Moodle versions 2.7.x before 2.7.4, update to version 2.7.4 or later. For Moodle versions 2.8.x before 2.8.2, update to version 2.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.3.11 and earlier, 2.4.x before 2.4.10, 2.5.x before 2.5.6, 2.6.x before 2.6.3 **Description** The issue allows remote attackers to hijack sessions via a brute-force attack because `login/token.php` creates a MoodleMobile web-service token with an infinite lifetime. **Recommendations** For versions 2.3.11 and earlier, update to version 2.4.10 or later to resolve the issue. For versions 2.4.x before 2.4.10, update to version 2.4.10 or later to resolve the issue. For versions 2.5.x before 2.5.6, update to version 2.5.6 or later to resolve the issue. For versions 2.6.x before 2.6.3, update to version 2.6.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.6 Moodle versions 2.2.x through 2.2.3 **Description** The issue allows remote authenticated users to obtain sensitive information by reading a file that is embedded in a block, due to improper restriction of file access after a block has been hidden. **Recommendations** For Moodle versions 2.1.x through 2.1.6, update to version 2.1.7 or later. For Moodle versions 2.2.x through 2.2.3, update to version 2.2.4 or later.