Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Moodle 3.9.8 release notes: Difference between revisions

From MoodleDocs
(released)
Line 14: Line 14:
==Security fixes==
==Security fixes==
 
 
Details of any security issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
* [https://moodle.org/mod/forum/discuss.php?d=424797 MSA-21-0020] SQL injection risk in code fetching enrolled courses
* [https://moodle.org/mod/forum/discuss.php?d=424798 MSA-21-0021] SQL injection risk in code fetching recent courses
* [https://moodle.org/mod/forum/discuss.php?d=424799 MSA-21-0022] Remote code execution risk when Shibboleth authentication is enabled
* [https://moodle.org/mod/forum/discuss.php?d=424801 MSA-21-0023] Recursion denial of service possible due to recursive cURL in file repository
* [https://moodle.org/mod/forum/discuss.php?d=424802 MSA-21-0024] Blind SSRF possible against cURL blocked hosts via redirect
* [https://moodle.org/mod/forum/discuss.php?d=424803 MSA-21-0025] Messaging web service allows deletion of other users' messages
* [https://moodle.org/mod/forum/discuss.php?d=424806 MSA-21-0028] IDOR allows removal of other users' calendar URL subscriptions
* [https://moodle.org/mod/forum/discuss.php?d=424807 MSA-21-0029] Stored XSS when exporting to data formats supporting HTML via user ID number
* [https://moodle.org/mod/forum/discuss.php?d=424808 MSA-21-0030] Insufficient escaping of users' names in account confirmation email
* [https://moodle.org/mod/forum/discuss.php?d=424809 MSA-21-0031] Messaging email notifications containing HTML may hide the final line of the email


==See also==
==See also==

Revision as of 13:45, 19 July 2021

This version of Moodle is no longer supported for general bug fixes. You are encouraged to upgrade to a supported version of Moodle.

Releases > Moodle 3.9.8 release notes


Release date: 12 July 2021

Here is the full list of fixed issues in 3.9.8.

Backported bug fixes

  • MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages
  • MDL-71060 - Duplicates 'Current category' text in edit question form

Security fixes

  • MSA-21-0020 SQL injection risk in code fetching enrolled courses
  • MSA-21-0021 SQL injection risk in code fetching recent courses
  • MSA-21-0022 Remote code execution risk when Shibboleth authentication is enabled
  • MSA-21-0023 Recursion denial of service possible due to recursive cURL in file repository
  • MSA-21-0024 Blind SSRF possible against cURL blocked hosts via redirect
  • MSA-21-0025 Messaging web service allows deletion of other users' messages
  • MSA-21-0028 IDOR allows removal of other users' calendar URL subscriptions
  • MSA-21-0029 Stored XSS when exporting to data formats supporting HTML via user ID number
  • MSA-21-0030 Insufficient escaping of users' names in account confirmation email
  • MSA-21-0031 Messaging email notifications containing HTML may hide the final line of the email

See also

Retrieved from "https://docs.moodle.org/dev/index.php?title=Moodle_3.9.8_release_notes&oldid=60451"
Powered by MediaWiki