Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack
| Severity/Risk: | Serious |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and |
Site policies agreement is not checked for logged in users who browse front page and activities on it
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Marina Glancy |
| Changes (master): | http://g |
Authenticated user are allowed to add HTML blocks containing scripts to their Dashboard and this is normally not a security issue because personal dashboard is visible to this user only. Through this security vulnerability users can move such block to other pages where they can be viewed by other users.
| Severity/Risk: | Serious |
| V |
Students who posted on forum and exported the post to portfolios can download any stored Moodle file by changing download URL
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Brendan Cox |
| Wor |