Skip to main content

Moodle 3.9.8

Unsupported Moodle Version
This version of Moodle is no longer supported and will not receive fixes for security risks.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 12 July 2021

Here is the full list of fixed issues in 3.9.8.

Backported bug fixes

  • MDL-68747 - ChartJS quiz overview report should display numerical ranges LTR also for RTL languages
  • MDL-71060 - Duplicates 'Current category' text in edit question form

Security fixes

  • MSA-21-0020 SQL injection risk in code fetching enrolled courses
  • MSA-21-0021 SQL injection risk in code fetching recent courses
  • MSA-21-0022 Remote code execution risk when Shibboleth authentication is enabled
  • MSA-21-0023 Recursion denial of service possible due to recursive cURL in file repository
  • MSA-21-0024 Blind SSRF possible against cURL blocked hosts via redirect
  • MSA-21-0025 Messaging web service allows deletion of other users' messages
  • MSA-21-0028 IDOR allows removal of other users' calendar URL subscriptions
  • MSA-21-0029 Stored XSS when exporting to data formats supporting HTML via user ID number
  • MSA-21-0030 Insufficient escaping of users' names in account confirmation email - Note: If you have customised the language string emailconfirmation, you will need to edit the customisation and remove the placeholder {$a->firstname}.
  • MSA-21-0031 Messaging email notifications containing HTML may hide the final line of the email

Translations