Moodle 4.2.9
Unsupported Moodle Version
This version of Moodle is no longer supported for general bug fixes.
You are encouraged to upgrade to a supported version of Moodle.
You are encouraged to upgrade to a supported version of Moodle.
Release date: 12 August 2024
Here is the full list of fixed issues in 4.2.9.
General fixes and improvements
- MDL-80345 - Hash collision guaranteed to break cron with 'locktimeout' (only with PostgreSQL)
- MDL-66903 - Support autoloading of test classes
- MDL-82373 - Support Selenium 4
Accessibility improvements
- MDL-72876 - The new welcome message is not accessible when there's a background
Security improvements
- MDL-81803 - Setting privacyrequestexpiry to 0 immediately expires data requests
Security fixes
- MSA-24-0026 - Remote code execution via calculated question types
- MSA-24-0027 - Arbitrary file read risk through pdfTeX
- MSA-24-0028 - Admin presets export tool includes some secrets that should not be exported
- MSA-24-0029 - Cache poisoning via injection into storage
- MSA-24-0030 - User information visibility control issues in gradebook reports
- MSA-24-0032 - IDOR in badges allows deletion of arbitrary badges
- MSA-24-0033 - Authorization headers preserved between "emulated redirects"
- MSA-24-0035 - CSRF risk in Feedback non-respondents report
- MSA-24-0036 - Can create global glossary without being admin
- MSA-24-0037 - Site administration SQL injection via XMLDB editor
- MSA-24-0038 - XSS risk when restoring malicious course backup file
- MSA-24-0039 - IDOR in Feedback non-respondents report allows messaging arbitrary site users
- MSA-24-0040 - Reflected XSS via H5P error message
- MSA-24-0041 - LFI vulnerability when restoring malformed block backups