Moodle 4.1.10

Unsupported Moodle Version

This version of Moodle is no longer supported and will not receive fixes for security risks.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 22 April 2024

Here is the full list of fixed issues in 4.1.10.

General fixes and improvements

• MDL-81060 - Private files area quota applies when unzipping to non-private file areas
• MDL-80835 - Add CHIPS support to LTI cookies
• MDL-79712 - Ensure SameSite=None on MoodleSession cookie to retain support for embedded launches
• MDL-81405 - Support Chrome's partitioned cookies in the mobile app
• MDL-80836 - Replace session piggyback with login flow during account linking process in LTI provider
• MDL-80167 - Add environment check for Oracle database

Security fixes

• MSA-24-0007 - Broken access control when setting calendar event type
• MSA-24-0008 - Stored XSS risk when editing another user's equation in equation editor
• MSA-24-0009 - Stored XSS via user's name on participants page when opening some options
• MSA-24-0011 - Stored XSS in lesson overview report via user ID number
• MSA-24-0012 - CSRF risk in admin preset tool management of presets
• MSA-24-0013 - Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_feedback backup
• MSA-24-0014 - Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_workshop backup
• MSA-24-0015 - Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_wiki backup
• MSA-24-0016 - Authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup
• MSA-24-0017 - Unsanitized HTML in site log for config_log_created
• MSA-24-0019 - CSRF risk in analytics management of models