MSA-20-0003: IP addresses can be spoofed using X-Forwarded-For

by Michael Hawkins.  

X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.

PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "...

Leer más...

MSA-20-0002: Grade history report does not respect Separate groups mode in the course settings

by Michael Hawkins.  

Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.


...
Severity/Risk:Minor
Versions affected:3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions
Versions fixed:3.8.2, 3.7.5, 3.6.9 and 3.5.11
R
Leer más...


MSA-19-0029: Reflected XSS possible from some fatal error messages

by Michael Hawkins.  

Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:Yuriy Dyachenko
CVE identifier:CVE-2019-14884
Changes (master):http://git
Leer más...