Bug 2243437 (CVE-2023-5541, MSA-23-0033)

Summary: CVE-2023-5541 moodle: XSS risk when using CSV grade import method
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ntait, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 4.2.3, moodle 4.1.6, moodle 4.0.11, moodle 3.11.17, moodle 3.9.24 Doc Type: If docs needed, set a value
Doc Text:
The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244900, 2244901    
Bug Blocks: 2243346    

Description Robb Gatica 2023-10-11 23:52:44 UTC 
The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content. The suggested workaround was to verify the contents and trustworthiness of grade spreadsheets before importing them. This flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.
Comment 2 Nick Tait 2023-10-18 18:45:53 UTC 
https://moodle.org/mod/forum/discuss.php?d=451582
Comment 3 Nick Tait 2023-10-18 20:45:00 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-7 [bug 2244900]
Affects: fedora-all [bug 2244901]