by Marina Glancy.
Directories vendor/ and node_modules/ that are created by composer and used during Moodle development may expose dangerous scripts to the web and should never be present on production sites. This issue adds a respective security check.
Manual action may be required from the site admin to remove composer-generated...
by Marina Glancy.
This fix may affect plugins using this API function, there is no exploit in standard Moodle
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions |
| Versions fixed: | 3.3.2, 3.2.5 and 3.1.8 |
| Reported by: | Ankit Agarwal |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=se |
by Marina Glancy.
Number of course reports allowed teachers to view details about users in the groups they can't access
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions |
| Versions fixed: | 3.3.2, 3.2.5 and 3.1.8 |
| Reported by: | Juan Leyva |
| CVE identifier: | CVE-2017-12157 |
| Changes (master): | http://git |
by Marina Glancy.
Form on the feedback "non-respondents" page does not escape the value of subject thus creating self-XSS. This can be used to attack another user by tricking them into opening malicious URL whilst in an open Moodle session
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported |