by Marina Glancy.
Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major...
by Marina Glancy.
Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Thomas Jaisson |
| CVE |
by Marina Glancy.
Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 |
| Versions fixed: | 3.3.1 |
| Reported by: | Charles Fulton |
| CVE identifier: | CVE-2017-7531 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HE |
by Marina Glancy.
Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Andreas Grabs |
| CVE identifier: | CVE-2017-264 |