Moodle 4.0.x < 4.0.1 Multiple Vulnerabilities

The version of Moodle installed on the remote host is 3.9.x prior to 3.9.14, 3.10.x prior to 3.10.11, 3.11.x prior to 3.11.7 or 4.0.x prior to 4.0.1. It is, therefore, affected by multiple vulnerabilities:

• A stored Cross-Site Scripting (XSS) vulnerability in ID numbers displayed when bulk allocating markers to assignments. (CVE-2022-30596)

• An improper handling of the description user field which is not hidden when being set as a hidden user field. (CVE-2022-30597)

• An information disclosure in the global search results which could include author information on some activities where a user may not otherwise have access to it. (CVE-2022-30598)

• An SQL injection in badges code relating to configuring criteria available to site administrators. (CVE-2022-30599)

• A bypass in the account lockout treshold due to an issue in the logic used to count failed login attempts. (CVE-2022-30600)

• A vulnerable version of mlbackend python library included in Moodle.

Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.