MSA-18-0016: Quiz question bank import preview could execute JavaScript

by Michael Hawkins.  

When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.


...
Severity/Risk:Minor
Versions affected:3.5, 3.4 to 3.4.3, 3.3 to 3.3.6, 3.2 to 3.2.9, 3.1 to 3.1.12 and earlier unsupported versions
Versions fixed:3.5.1, 3.4.4,
Leer más...

MSA-18-0015: Web service core_course_get_categories may return invisible categories

by Michael Hawkins.  

It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. Note this only affects cases where a user has access to manage categories, but does not also have permission to view hidden categories.


...
Severity/Risk:Minor
Versions affected:3.5
Leer más...


MSA-18-0012: Portfolio script allows instantiation of class chosen by user

by Marina Glancy.  

Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack


...
Severity/Risk:Serious
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and
Leer más...