A module application used by millions of students around the world expose a new vulnerability

In Moodle, a weakness was observed where the decompressed size of zip files was not tested against the user quota available until unzipping them, which could lead to a risk of denial of service.

This impacts versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and versions that were previously unsupported. 3.9.2, 3.8.5, 3.7.8 and 3.5.14. have been fixed.

Another vulnerability in this app:

MSA-20-0015: Chapter name in book not always escaped with forceclean enabled

by Michael Hawkins 

It was possible to include JavaScript in a book’s chapter title, which was not escaped on the “Add new chapter” page.

Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.

Solution:

Update you application.