MSA-20-0004: Admin PHP unit webrunner tool requires additional input escaping

by Michael Hawkins.  

Insufficient input escaping was applied to the PHP unit webrunner admin tool.

NOTE: It is important to note that this update is only flagged as a precautionary measure, as it may provide limited CLI access to Moodle site admins. This may be considered a security risk in circumstances where admins do not ordinarily have...

Leer más...

MSA-20-0003: IP addresses can be spoofed using X-Forwarded-For

by Michael Hawkins.  

X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.

PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "...

Leer más...

MSA-20-0002: Grade history report does not respect Separate groups mode in the course settings

by Michael Hawkins.  

Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.


...
Severity/Risk:Minor
Versions affected:3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions
Versions fixed:3.8.2, 3.7.5, 3.6.9 and 3.5.11
R
Leer más...