The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Mike Henry |
| CVE identifiers: | C |
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, |
When creating a user account, it was possible to verify the account without having access to the verification email link/secret.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Bandjes |
| CVE |
It was possible for some users without permission to view other users' full names to do so via the online users block.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Ankit Agarwal |
| Workarou |