Alert GCSA-20085 - Aggiornamento di sicurezza per Moodle
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************************************************************
alert ID: GCSA-20085
data: 22 settembre 2020
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle,
con le quali vengono risolte alcune vulnerabilita'.
MSA-20-0011: Stored XSS via moodlenetprofile parameter in user profile
MSA-20-0012: Reflected XSS in tag manager
MSA-20-0013: "Log in as" capability in a course context may lead to some privilege escalation
MSA-20-0014: Denial of service risk in file picker unzip functionality
MSA-20-0015: Chapter name in book not always escaped with forceclean enabled
Maggiori informazioni sono disponibili nella segnalazione
ufficiale alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 3.9.2
Moodle versioni precedenti alla 3.8.5
Moodle versioni precedenti alla 3.7.8
:: Impatto
Cross Site Scripting (XSS)
Denial of Service (DoS)
Privilege Escalation (EoP)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 3.9.2
Moodle 3.8.5
Moodle 3.7.8
Moodle 3.5.14
https://moodle.org/mod/forum/discuss.php?d=410396#p1655385
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=410839&parent=1657001
https://moodle.org/mod/forum/discuss.php?d=410840&parent=1657002
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657003
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657004
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657005
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25631
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iD8DBQFfafKbwZxMk2USYEIRAmjXAJ49Z6ZmAUWy6/0NPreKDhZu1y5C5QCeIr+J
P8Z7B//Hm1zZMuN1JzCZNLs=
=+uBs
-----END PGP SIGNATURE-----
Hash: SHA1
******************************************************************
alert ID: GCSA-20085
data: 22 settembre 2020
titolo: Aggiornamento di sicurezza per Moodle
******************************************************************
:: Descrizione del problema
Sono state rilasciate nuove versioni della piattaforma di e-learning Moodle,
con le quali vengono risolte alcune vulnerabilita'.
MSA-20-0011: Stored XSS via moodlenetprofile parameter in user profile
MSA-20-0012: Reflected XSS in tag manager
MSA-20-0013: "Log in as" capability in a course context may lead to some privilege escalation
MSA-20-0014: Denial of service risk in file picker unzip functionality
MSA-20-0015: Chapter name in book not always escaped with forceclean enabled
Maggiori informazioni sono disponibili nella segnalazione
ufficiale alla sezione "Riferimenti".
:: Software interessato
Moodle versioni precedenti alla 3.9.2
Moodle versioni precedenti alla 3.8.5
Moodle versioni precedenti alla 3.7.8
:: Impatto
Cross Site Scripting (XSS)
Denial of Service (DoS)
Privilege Escalation (EoP)
:: Soluzioni
Aggiornare alle versioni piu' recenti
Moodle 3.9.2
Moodle 3.8.5
Moodle 3.7.8
Moodle 3.5.14
https://moodle.org/mod/forum/discuss.php?d=410396#p1655385
https://download.moodle.org/releases/latest/
:: Riferimenti
Moodle - Annunci di sicurezza
https://moodle.org/security/
https://moodle.org/mod/forum/discuss.php?d=410839&parent=1657001
https://moodle.org/mod/forum/discuss.php?d=410840&parent=1657002
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657003
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657004
https://moodle.org/mod/forum/discuss.php?d=410841&parent=1657005
Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25627
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25631
GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iD8DBQFfafKbwZxMk2USYEIRAmjXAJ49Z6ZmAUWy6/0NPreKDhZu1y5C5QCeIr+J
P8Z7B//Hm1zZMuN1JzCZNLs=
=+uBs
-----END PGP SIGNATURE-----