Summary
Multiple new vulnerabilities, including 3 with “critical” severity and 2 with “high” severity, have been detected in Moodle LMS, a well-known open source platform typically used for the delivery of e-learning courses.
Risk
Vulnerability impact estimate on the reference community: (66.41)
Type
- Remote Code Execution
- Information Disclosure
- Denial of Service
- Security Feature Bypass
Affected Products and Versions
Moodle
- 4.5.x, version 4.5.3 and earlier
- 4.4.x, version 4.4.7 and earlier
- 4.3.x, version 4.3.11 and earlier
- 4.1.x, version 4.1.17 and earlier
- All previous versions no longer supported
Mitigation Actions
In line with vendor statements, it is recommended to apply the available mitigations following the indications of the security bulletins reported in the References section.
Below are only the CVEs related to the vulnerabilities with severity “critical” and “high”:
References
https://moodle.org/mod/forum/discuss.php?d=467592&parent=1877211
https://moodle.org/mod/forum/discuss.php?d=467593&parent=1877212
https://moodle.org/mod/forum/discuss.php?d=467602&parent=1877222
https://moodle.org/mod/forum/discuss.php?d=467603&parent=1877223
https://moodle.org/mod/forum/discuss.php?d=467604&parent=1877224
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
