Skip to main content

Moodle 4.0.7

Unsupported Moodle Version
This version of Moodle is no longer supported and will not receive fixes for security risks.
You are encouraged to upgrade to a supported version of Moodle.

Release date: 13 March 2023

Here is the full list of fixed issues in 4.0.7.

General fixes and improvements

  • MDL-69690 - Require Assessment Grade for Workshop Activity Completion Blocked
  • MDL-66221 - Deleted activities cannot be restored from recycle bin when backup_auto_activities setting is disabled
  • MDL-70586 - Feedback: the preview icon shouldn't be displayed for students
  • MDL-74756 - Previous activity with completion not working if activity completion is disabled
  • MDL-76525 - mod_data: Missing validation of image width and height
  • MDL-76947 - Dropdown menus are narrower and unnecessarily wrap
  • MDL-73847 - LTI 1.3: Keyset fetch does not use the HTTP proxy
  • MDL-75719 - Wrong completion status for hidden grade items
  • MDL-77003 - Template string helper does not render complex language strings
  • MDL-58945 - Showing rendered question text can break JS: disable filtering on quiz edit page and make optional in the question bank
  • MDL-74905 - Decide Moodle 4.2 requirements and push them to environment.xml (due date: 2022-12-26)
  • MDL-74698 - Course backups from versions earlier than 3.11.7 lose format options on restore
  • MDL-77014 - Single activity course format should support multilang course titles
  • MDL-75012 - Bump nodejs from lts/gallium to stable (>=v18.x.x, now lts/hydrogen)
  • MDL-77230 - The preview of questions for feedback is still possible via WebServices
  • MDL-77322 - Authenticate token requests via HTTP headers cannot be turned off
  • MDL-76314 - Add missing form validation when combining single discussion and separate group
  • MDL-77057 - Module override forms are not correctly formatting group names
  • MDL-77210 - Quiz 'Try another question like this one' breaks regrading
  • MDL-76904 - Question bank: Question highlight is missing after we go back and forth between pages
  • MDL-76298 - Drag drop questions don't validate that drop zones have been defined (causing division by zero errors in the statistics)
  • MDL-77241 - Javascript console errors opening section/activity menus when editing course
  • MDL-76878 - Prohibiting editownprofile capability breaks functionality of blocks/content bank
  • MDL-63608 - Access order when manually grading quizzes
  • MDL-76948 - Description of submission_unlocked event says "locked" instead of "unlocked"
  • MDL-76066 - Deleting a field when applying a preset doesn't raise 'field deleted' event
  • MDL-76602 - Cannot add LTI 1.3 LTI service without modifying locallib
  • MDL-77024 - Quiz editing log events have the wrong edulevel
  • MDL-77018 - Error loading question bank statistics if the context no longer exists
  • MDL-77365 - Inaccurate word count

Accessibility improvements

  • MDL-76672 - block_myoverview: aria-label attribute is not well supported on a div without role attribute
  • MDL-77052 - block_recentlyaccesseditems: Element with role="list" must have children with role="listitem"
  • MDL-77318 - core / user_menu: aria-label attribute is not well supported on a div without role attribute
  • MDL-76313 - improve accessibility on subscribers page

Security improvements

  • MDL-76478 - Browsers auto-completing the user's password into inappropriate password unmask form fields
  • MDL-76370 - Public / private paths security report is inaccurate when using HTTP proxy
  • MDL-75454 - sesskey included in URL in cache administration adding and editing stores

Security fixes

  • MSA-23-0004 - Authenticated SQL injection via availability check
  • MSA-23-0005 - Authenticated arbitrary file read through malformed backup file
  • MSA-23-0006 - XSS risk when outputting database activity filter data
  • MSA-23-0007 - Algebra filter XSS when filter is misconfigured
  • MSA-23-0008 - Pix helper potential Mustache code injection risk
  • MSA-23-0009 - Users' name enumeration possible via IDOR on learning plans page
  • MSA-23-0011 - Teacher can access names of users they do not have permission to access
  • MSA-23-0012 - Course participation report shows roles the user should not see