Moodle 4.3.6
Release date: 12 August 2024
Here is the full list of fixed issues in 4.3.6.
General fixes and improvements
- MDL-79758 - Quiz add from question bank: paging loses filter options
- MDL-77665 - H5P activity Link to file error after removing user
- MDL-80017 - user_get_grade_items web service throws exception with special characters and spaces
- MDL-73662 - 404 error on quiz with browsersecurity when time finish or student clicks "Submit all and finish"
- MDL-82344 - LTI Select content button has become required
- MDL-78388 - Duplicate activity does not copy permission overrides
- MDL-75864 - Cleaning old sessions from cache not working (and raises warnings if no sessions found)
- MDL-79796 - Quiz add from question bank pop-up: Question preview icon should be visible without scrolling
- MDL-66251 - Static form elements cannot be hidden using hideIf and disabled using disabledif
- MDL-81739 - TinyMCE noautolink plugin behaves differently to Atto version
- MDL-80345 - Hash collision guaranteed to break cron with 'locktimeout' (only with PostgreSQL)
- MDL-79231 - TinyMCE in fullscreen mode doesn't show menus in Feedback comments (Assignment and modals)
- MDL-81689 - Failing ad-hoc tasks sometimes run twice ignoring nextruntime/faildelay
- MDL-70972 - Course Creator cannot create Single Activity course format
- MDL-77834 - Feedback module has a problem with symbols such as ampersand (&) and quotation mark (")
- MDL-81730 - Randomly incorrect submission order in PDF annotator
- MDL-66903 - Support autoloading of test classes
- MDL-82605 - H5P core content bank slow when user has elevated system capabilities
- MDL-78080 - Duplicate section has several issues
- MDL-81781 - CSV log report exports contain HTML code for the apostrophe in the "Description" field
- MDL-80064 - Null passwords no longer allowed for auth plugin user creation
- MDL-82373 - Support Selenium 4
- MDL-80947 - Changing some course settings removes the "Custom link" URL setting for the course
- MDL-58287 - Missing format not listed in plugins overview
- MDL-80061 - Change Field Used to Filter recordings in check_dismissed_recordings task
- MDL-82024 - Highlight/Un-highlight icon is not updated properly in the actions menu
- MDL-82100 - Quiz reports do not show customised question numbers
- MDL-69514 - Help text floating after closing a modal
- MDL-81287 - Setting Discussions per page (forum_manydiscussions) has no effect
- MDL-81949 - Replace CLI script options return true if no arguments given
- MDL-68540 - hideIf function doesn't work with editor field
- MDL-81510 - "Text and media" resources are not automatically opened in additional cases (follow up of MDL-80934)
- MDL-82289 - Feedback response action bar doesn't correctly identify site course
- MDL-82467 - Days taking course columns do not aggregate/sort correctly
- MDL-82309 - Linktext option gets lost when the new comments loaded in via AJAX
- MDL-82528 - Colour setting of the group icon cannot be changed in the settings menu of the activities
- MDL-82481 - Custom fields of type dropdown don't format their options consistently
- MDL-82451 - Switch hide and show icons for section action menu
- MDL-82090 - Workshop error message in settings page after student's submission
- MDL-81265 - Accessibility issues on the workshop page
- MDL-81428 - The "Add to contacts" button does not let the user know that the request has been sent
- MDL-68211 - Feedback has wrong numbers in excel export file
- MDL-82193 - AICC HACP multiline content not stored/processed correctly
- MDL-82200 - Inplace editable: background behind instruction text sometimes too short
- MDL-79971 - Activity completion Report - Course modules can get marked as view even when they aren't viewed
- MDL-82444 - The "Tidy" text filter doesn't advertise the fact it requires an extension
- MDL-82445 - filter_tidy breaks page locale
- MDL-81119 - Recycle bin is ignoring forced config settings
- MDL-82308 - Forms - multi-selects - set a sensible default size for the number of choices (backport of MDL-81515)
- MDL-81761 - Frequently Used Comment in Assignment is inserted twice when using Chrome
- MDL-82178 - Quiz attempt graded notification not sent if the permission is only assigned in the quiz context
- MDL-80625 - Plugin mod_bigbluebuttonbn: Wrong API parameter
- MDL-82167 - The reactive debug panel throws an error when editing the state manually
- MDL-81678 - Course email subjects containing & show &
- MDL-78773 - Course Statistics: Mode Selection rendered in Primary Navigation
- MDL-82233 - The "This badge has been issued user(s)." notification is displayed in more situations than expected
- MDL-82202 - Course last access custom report column doesn't aggregate correctly
- MDL-82611 - Grade button appears in assignments without having grading capability
- MDL-82360 - Remove error console debugging when uploading course files
- MDL-82208 - Starred courses block problem with special characters
- MDL-81644 - Calendar day view from calendar block gives error 404 after reloading the page
- MDL-81932 - Communication provider change not limiting room name update to newly set provider
- MDL-81830 - Clearing course selection in new calendar event triggers exception
- MDL-82002 - Video embedding from the app is not styled correctly
- MDL-73091 - Undefined variable: overall in award_criteria_courseset.php
- MDL-81991 - has_capability() does not return the correct result for some tasks if user data marked "dirty" (requiring re-fetching)
- MDL-82008 - "Continue" and "Cancel" buttons not separated in final course restore step
Accessibility improvements
- MDL-72876 - The new welcome message is not accessible when there's a background
- MDL-82551 - Page is missing a level 1 heading when the welcome message is displayed
Security improvements
- MDL-81803 - Setting privacyrequestexpiry to 0 immediately expires data requests
Security fixes
- MSA-24-0026 - Remote code execution via calculated question types
- MSA-24-0027 - Arbitrary file read risk through pdfTeX
- MSA-24-0028 - Admin presets export tool includes some secrets that should not be exported
- MSA-24-0029 - Cache poisoning via injection into storage
- MSA-24-0030 - User information visibility control issues in gradebook reports
- MSA-24-0032 - IDOR in badges allows deletion of arbitrary badges
- MSA-24-0033 - Authorization headers preserved between "emulated redirects"
- MSA-24-0034 - Matrix user/power level management not always working as expected with suspended users
- MSA-24-0035 - CSRF risk in Feedback non-respondents report
- MSA-24-0036 - Can create global glossary without being admin
- MSA-24-0037 - Site administration SQL injection via XMLDB editor
- MSA-24-0038 - XSS risk when restoring malicious course backup file
- MSA-24-0039 - IDOR in Feedback non-respondents report allows messaging arbitrary site users
- MSA-24-0040 - Reflected XSS via H5P error message
- MSA-24-0041 - LFI vulnerability when restoring malformed block backups