Bug 2243352 (CVE-2023-5539, MSA-23-0031)

Summary: CVE-2023-5539 moodle: Authenticated remote code execution risk in Lesson
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mprpic, ntait, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 4.2.3, moodle 4.1.6, moodle 4.0.11, moodle 3.11.17, moodle 3.9.24 Doc Type: If docs needed, set a value
Doc Text:
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244897, 2244896    
Bug Blocks: 2243346    

Description Robb Gatica 2023-10-11 21:06:35 UTC 
A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. This flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.
Comment 1 Nick Tait 2023-10-18 18:44:10 UTC 
https://moodle.org/mod/forum/discuss.php?d=451580
Comment 2 Nick Tait 2023-10-18 20:44:08 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-7 [bug 2244897]
Affects: fedora-all [bug 2244896]