[docs] Add security announcements to 4.5.4 and friends

mickhawkins · andrewnicols · commit 919889f3ee79 · 2025-04-22T14:04:17.000+08:00
diff --git a/general/releases/4.1/4.1.18.md b/general/releases/4.1/4.1.18.md
@@ -18,5 +18,17 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0013](https://moodle.org/mod/forum/discuss.php?d=467592) - Remote code execution risk via MimeTeX command (upstream)
+- [MSA-25-0018](https://moodle.org/mod/forum/discuss.php?d=467597) - CSRF risk in user tours manager allows tour duplication
+- [MSA-25-0019](https://moodle.org/mod/forum/discuss.php?d=467598) - IDOR in RSS block allows access to additional RSS feeds
+- [MSA-25-0020](https://moodle.org/mod/forum/discuss.php?d=467599) - mod_data edit/delete pages pass CSRF token in GET parameter
+- [MSA-25-0021](https://moodle.org/mod/forum/discuss.php?d=467600) - CSRF risk in Brickfield tool's analysis request action
+- [MSA-25-0022](https://moodle.org/mod/forum/discuss.php?d=467601) - IDOR in web service allows users enrolled in a course to access some details of other users
+- [MSA-25-0023](https://moodle.org/mod/forum/discuss.php?d=467602) - Authenticated remote code execution risk in the Moodle LMS Dropbox repository
+- [MSA-25-0024](https://moodle.org/mod/forum/discuss.php?d=467603) - Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
+- [MSA-25-0025](https://moodle.org/mod/forum/discuss.php?d=467604) - Reflected XSS risk in policy tool
+- [MSA-25-0026](https://moodle.org/mod/forum/discuss.php?d=467605) - AJAX section delete does not respect course_can_delete_section()
+- [MSA-25-0027](https://moodle.org/mod/forum/discuss.php?d=467606) - IDOR in messaging web service allows access to some user details
+- [MSA-25-0028](https://moodle.org/mod/forum/discuss.php?d=467607) - IDOR when accessing the cohorts report
+<!-- cspell:enable -->
diff --git a/general/releases/4.3/4.3.12.md b/general/releases/4.3/4.3.12.md
@@ -18,5 +18,20 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0013](https://moodle.org/mod/forum/discuss.php?d=467592) - Remote code execution risk via MimeTeX command (upstream)
+- [MSA-25-0014](https://moodle.org/mod/forum/discuss.php?d=467593) - User DoS and name disclosure risks via IDOR in MFA email factor revoke action
+- [MSA-25-0015](https://moodle.org/mod/forum/discuss.php?d=467594) - Some user data available before completing second factor with MFA enabled
+- [MSA-25-0017](https://moodle.org/mod/forum/discuss.php?d=467596) - Self enrolment available before completing second factor with MFA enabled
+- [MSA-25-0018](https://moodle.org/mod/forum/discuss.php?d=467597) - CSRF risk in user tours manager allows tour duplication
+- [MSA-25-0019](https://moodle.org/mod/forum/discuss.php?d=467598) - IDOR in RSS block allows access to additional RSS feeds
+- [MSA-25-0020](https://moodle.org/mod/forum/discuss.php?d=467599) - mod_data edit/delete pages pass CSRF token in GET parameter
+- [MSA-25-0021](https://moodle.org/mod/forum/discuss.php?d=467600) - CSRF risk in Brickfield tool's analysis request action
+- [MSA-25-0022](https://moodle.org/mod/forum/discuss.php?d=467601) - IDOR in web service allows users enrolled in a course to access some details of other users
+- [MSA-25-0023](https://moodle.org/mod/forum/discuss.php?d=467602) - Authenticated remote code execution risk in the Moodle LMS Dropbox repository
+- [MSA-25-0024](https://moodle.org/mod/forum/discuss.php?d=467603) - Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
+- [MSA-25-0025](https://moodle.org/mod/forum/discuss.php?d=467604) - Reflected XSS risk in policy tool
+- [MSA-25-0026](https://moodle.org/mod/forum/discuss.php?d=467605) - AJAX section delete does not respect course_can_delete_section()
+- [MSA-25-0027](https://moodle.org/mod/forum/discuss.php?d=467606) - IDOR in messaging web service allows access to some user details
+- [MSA-25-0028](https://moodle.org/mod/forum/discuss.php?d=467607) - IDOR when accessing the cohorts report
+<!-- cspell:enable -->
diff --git a/general/releases/4.4/4.4.8.md b/general/releases/4.4/4.4.8.md
@@ -46,5 +46,20 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0013](https://moodle.org/mod/forum/discuss.php?d=467592) - Remote code execution risk via MimeTeX command (upstream)
+- [MSA-25-0014](https://moodle.org/mod/forum/discuss.php?d=467593) - User DoS and name disclosure risks via IDOR in MFA email factor revoke action
+- [MSA-25-0015](https://moodle.org/mod/forum/discuss.php?d=467594) - Some user data available before completing second factor with MFA enabled
+- [MSA-25-0017](https://moodle.org/mod/forum/discuss.php?d=467596) - Self enrolment available before completing second factor with MFA enabled
+- [MSA-25-0018](https://moodle.org/mod/forum/discuss.php?d=467597) - CSRF risk in user tours manager allows tour duplication
+- [MSA-25-0019](https://moodle.org/mod/forum/discuss.php?d=467598) - IDOR in RSS block allows access to additional RSS feeds
+- [MSA-25-0020](https://moodle.org/mod/forum/discuss.php?d=467599) - mod_data edit/delete pages pass CSRF token in GET parameter
+- [MSA-25-0021](https://moodle.org/mod/forum/discuss.php?d=467600) - CSRF risk in Brickfield tool's analysis request action
+- [MSA-25-0022](https://moodle.org/mod/forum/discuss.php?d=467601) - IDOR in web service allows users enrolled in a course to access some details of other users
+- [MSA-25-0023](https://moodle.org/mod/forum/discuss.php?d=467602) - Authenticated remote code execution risk in the Moodle LMS Dropbox repository
+- [MSA-25-0024](https://moodle.org/mod/forum/discuss.php?d=467603) - Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
+- [MSA-25-0025](https://moodle.org/mod/forum/discuss.php?d=467604) - Reflected XSS risk in policy tool
+- [MSA-25-0026](https://moodle.org/mod/forum/discuss.php?d=467605) - AJAX section delete does not respect course_can_delete_section()
+- [MSA-25-0027](https://moodle.org/mod/forum/discuss.php?d=467606) - IDOR in messaging web service allows access to some user details
+- [MSA-25-0028](https://moodle.org/mod/forum/discuss.php?d=467607) - IDOR when accessing the cohorts report
+<!-- cspell:enable -->
diff --git a/general/releases/4.5/4.5.4.md b/general/releases/4.5/4.5.4.md
@@ -49,5 +49,21 @@ import { ReleaseNoteIntro } from '@site/src/components/ReleaseInformation';
 <!-- cspell:enable -->
 
 ## Security fixes
-
-A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
+<!-- cspell:disable -->
+- [MSA-25-0013](https://moodle.org/mod/forum/discuss.php?d=467592) - Remote code execution risk via MimeTeX command (upstream)
+- [MSA-25-0014](https://moodle.org/mod/forum/discuss.php?d=467593) - User DoS and name disclosure risks via IDOR in MFA email factor revoke action
+- [MSA-25-0015](https://moodle.org/mod/forum/discuss.php?d=467594) - Some user data available before completing second factor with MFA enabled
+- [MSA-25-0016](https://moodle.org/mod/forum/discuss.php?d=467595) - Assignment submissions search on anonymous submissions reveals student identities
+- [MSA-25-0017](https://moodle.org/mod/forum/discuss.php?d=467596) - Self enrolment available before completing second factor with MFA enabled
+- [MSA-25-0018](https://moodle.org/mod/forum/discuss.php?d=467597) - CSRF risk in user tours manager allows tour duplication
+- [MSA-25-0019](https://moodle.org/mod/forum/discuss.php?d=467598) - IDOR in RSS block allows access to additional RSS feeds
+- [MSA-25-0020](https://moodle.org/mod/forum/discuss.php?d=467599) - mod_data edit/delete pages pass CSRF token in GET parameter
+- [MSA-25-0021](https://moodle.org/mod/forum/discuss.php?d=467600) - CSRF risk in Brickfield tool's analysis request action
+- [MSA-25-0022](https://moodle.org/mod/forum/discuss.php?d=467601) - IDOR in web service allows users enrolled in a course to access some details of other users
+- [MSA-25-0023](https://moodle.org/mod/forum/discuss.php?d=467602) - Authenticated remote code execution risk in the Moodle LMS Dropbox repository
+- [MSA-25-0024](https://moodle.org/mod/forum/discuss.php?d=467603) - Authenticated remote code execution risk in the Moodle LMS EQUELLA repository
+- [MSA-25-0025](https://moodle.org/mod/forum/discuss.php?d=467604) - Reflected XSS risk in policy tool
+- [MSA-25-0026](https://moodle.org/mod/forum/discuss.php?d=467605) - AJAX section delete does not respect course_can_delete_section()
+- [MSA-25-0027](https://moodle.org/mod/forum/discuss.php?d=467606) - IDOR in messaging web service allows access to some user details
+- [MSA-25-0028](https://moodle.org/mod/forum/discuss.php?d=467607) - IDOR when accessing the cohorts report
+<!-- cspell:enable -->
