CVE-2023-5549 – Moodle: insufficient capability checks when updating the parent of a course category
https://notcve.org/view.php?id=CVE-2023-5549
Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage. Las comprobaciones insuficientes de la capacidad del servicio web hicieron posible mover categorías que un usuario tenía permiso para administrar a una categoría principal que no tenía la capacidad de administrar. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66730 https://bugzilla.redhat.com/show_bug.cgi?id=2243451 https://moodle.org/mod/forum/discuss.php?d=451590 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVE-2023-5548 – Moodle: cache poisoning risk with endpoint revision numbers
https://notcve.org/view.php?id=CVE-2023-5548
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. Se requirieron limitaciones más estrictas en el número de revisiones en los endpoints de servicio de archivos para mejorar la protección contra el envenenamiento de la caché. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77846 https://bugzilla.redhat.com/show_bug.cgi?id=2243449 https://moodle.org/mod/forum/discuss.php?d=451589 • CWE-345: Insufficient Verification of Data Authenticity CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data •
CVE-2023-5545 – Moodle: auto-populated h5p author name causes a potential information leak
https://notcve.org/view.php?id=CVE-2023-5545
H5P metadata automatically populated the author with the user's username, which could be sensitive information. Los metadatos de H5P completaron automáticamente al autor con el nombre de usuario del usuario, que podría ser información confidencial. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820 https://bugzilla.redhat.com/show_bug.cgi?id=2243444 https://moodle.org/mod/forum/discuss.php?d=451586 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2023-5542 – Moodle: students can view other users in "only see own membership" groups
https://notcve.org/view.php?id=CVE-2023-5542
Students in "Only see own membership" groups could see other students in the group, which should be hidden. Los estudiantes en los grupos "Ver solo su propia membresía" podrían ver a otros estudiantes en el grupo, que deberían estar ocultos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79213 https://bugzilla.redhat.com/show_bug.cgi?id=2243441 https://moodle.org/mod/forum/discuss.php?d=451583 • CWE-284: Improper Access Control CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2023-5540 – Moodle: authenticated remote code execution risk in imscp
https://notcve.org/view.php?id=CVE-2023-5540
A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad IMSCP. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409 https://bugzilla.redhat.com/show_bug.cgi?id=2243432 https://moodle.org/mod/forum/discuss.php?d=451581 • CWE-94: Improper Control of Generation of Code ('Code Injection') •