The participants table download always included user emails, but should have only done so when users' emails are not hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8 |
| Versions fixed: | 3.10, 3.9.3, 3.8.6 and 3.7.9 |
| Reported by: | A. Schenkel |
| CVE identifier: | CVE-2020-25703 |
| Changes (master): | http://g |
It was possible to include JavaScript when re-naming content bank items.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2 |
| Versions fixed: | 3.10, 3.9.3 |
| Reported by: | DegrangeM |
| CVE identifier: | CVE-2020-25702 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046 |
| Tracker issue: | MDL-6 |
If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to |
Some database module web services allowed students to add entries within groups they did not belong to.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Dani Palou |
| CVE identifier: | CVE-2020 |