Moodle 4.2.9

Unsupported Moodle Version

This version of Moodle is no longer supported and will not receive fixes for security risks.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 12 August 2024

Here is the full list of fixed issues in 4.2.9.

General fixes and improvements

• MDL-80345 - Hash collision guaranteed to break cron with 'locktimeout' (only with PostgreSQL)
• MDL-66903 - Support autoloading of test classes
• MDL-82373 - Support Selenium 4

Accessibility improvements

• MDL-72876 - The new welcome message is not accessible when there's a background

Security improvements

• MDL-81803 - Setting privacyrequestexpiry to 0 immediately expires data requests

Security fixes

• MSA-24-0026 - Remote code execution via calculated question types
• MSA-24-0027 - Arbitrary file read risk through pdfTeX
• MSA-24-0028 - Admin presets export tool includes some secrets that should not be exported
• MSA-24-0029 - Cache poisoning via injection into storage
• MSA-24-0030 - User information visibility control issues in gradebook reports
• MSA-24-0032 - IDOR in badges allows deletion of arbitrary badges
• MSA-24-0033 - Authorization headers preserved between "emulated redirects"
• MSA-24-0035 - CSRF risk in Feedback non-respondents report
• MSA-24-0036 - Can create global glossary without being admin
• MSA-24-0037 - Site administration SQL injection via XMLDB editor
• MSA-24-0038 - XSS risk when restoring malicious course backup file
• MSA-24-0039 - IDOR in Feedback non-respondents report allows messaging arbitrary site users
• MSA-24-0040 - Reflected XSS via H5P error message
• MSA-24-0041 - LFI vulnerability when restoring malformed block backups