Moodle 3.9.8 release notes

From MoodleDocs
Important:

This content of this page has been updated and migrated to the new Moodle Developer Resources. The information contained on the page should no longer be seen up-to-date.

Why not view this page on the new site and help us to migrate more content to the new site!

This version of Moodle is no longer supported for general bug fixes. You are encouraged to upgrade to a supported version of Moodle.

Releases > Moodle 3.9.8 release notes


Release date: 12 July 2021

Here is the full list of fixed issues in 3.9.8.

Backported bug fixes

  • MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages
  • MDL-71060 - Duplicates 'Current category' text in edit question form

Security fixes

  • MSA-21-0020 SQL injection risk in code fetching enrolled courses
  • MSA-21-0021 SQL injection risk in code fetching recent courses
  • MSA-21-0022 Remote code execution risk when Shibboleth authentication is enabled
  • MSA-21-0023 Recursion denial of service possible due to recursive cURL in file repository
  • MSA-21-0024 Blind SSRF possible against cURL blocked hosts via redirect
  • MSA-21-0025 Messaging web service allows deletion of other users' messages
  • MSA-21-0028 IDOR allows removal of other users' calendar URL subscriptions
  • MSA-21-0029 Stored XSS when exporting to data formats supporting HTML via user ID number
  • MSA-21-0030 Insufficient escaping of users' names in account confirmation email - Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder {$a->firstname}.
  • MSA-21-0031 Messaging email notifications containing HTML may hide the final line of the email

See also