MSA-19-0024: Assigned Role in Cohort did not un-assign on removal

by Michael Hawkins.  

When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:Yusuf Yilmaz, Mick Cassell
CVE identifier:CVE-2019-148
Leer más...

Re: MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins.  

Please note, this issue has been revisited in MDL-66683, as part of the latest minor releases. It appears this was not a bug, and that the original behaviour was the intended functionality. As this change was negatively impacting some course-creation workflows, the functionality has been reverted as of versions 3.7.3,...
Leer más...

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

by Michael Hawkins.  

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:John Couzins
Workaround:Set a different
Leer más...

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

by Michael Hawkins.  

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").


...
Severity/Risk:Serious
Versions
Leer más...