Moodle 3.9.8

Unsupported Moodle Version

This version of Moodle is no longer supported for general bug fixes.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 12 July 2021

Here is the full list of fixed issues in 3.9.8.

Backported bug fixes

• MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages
• MDL-71060 - Duplicates 'Current category' text in edit question form

Security fixes

• MSA-21-0020 SQL injection risk in code fetching enrolled courses
• MSA-21-0021 SQL injection risk in code fetching recent courses
• MSA-21-0022 Remote code execution risk when Shibboleth authentication is enabled
• MSA-21-0023 Recursion denial of service possible due to recursive cURL in file repository
• MSA-21-0024 Blind SSRF possible against cURL blocked hosts via redirect
• MSA-21-0025 Messaging web service allows deletion of other users' messages
• MSA-21-0028 IDOR allows removal of other users' calendar URL subscriptions
• MSA-21-0029 Stored XSS when exporting to data formats supporting HTML via user ID number
• MSA-21-0030 Insufficient escaping of users' names in account confirmation email - Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder {$a->firstname}.
• MSA-21-0031 Messaging email notifications containing HTML may hide the final line of the email

Translations

• Notes de mise à jour de Moodle 3.9.8
• Notas de Moodle 3.9.8