Insufficient input escaping was applied to the PHP unit webrunner admin tool.
NOTE: It is important to note that this update is only flagged as a precautionary measure, as it may provide limited CLI access to Moodle site admins. This may be considered a security risk in circumstances where admins do not ordinarily have...
X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "...
Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
| Severity/Risk: | Minor |
| Versions affected: | 3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions |
| Versions fixed: | 3.8.2, 3.7.5, 3.6.9 and 3.5.11 |
| R |
Messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored XSS.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 |
| Versions fixed: | 3.8.1 |
| Reported by: | Cid da Costa |
| Workaround: | Disable the messaging system until the patch has been applied. |
| CVE identifier: | CVE-2020-1691 |
| Changes (master): | http://g |