MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins.  

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Rep
Leer más...

MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts

by Michael Hawkins.  

Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions
Leer más...

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

by Michael Hawkins.  

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Dan Marsden
CVE identifier:CVE-2018-1705
Leer más...

MSA-19-0016: Assignment group overrides did not observe separate groups mode

by Michael Hawkins.  

Teachers in an assignment group could modify group overrides for other groups in the same assignment.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:David Monllaó
CVE identifier:CVE-2019-10189
Changes (master):http://git.moo
Leer más...