MSA-16-0024: Non-admin site managers may accidentally edit admins via web services

by Marina Glancy.  

...
Description:Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app
Issue
Leer más...

MSA-16-0023: Question engine allows access to files that should not be available

by Marina Glancy.  

...
Description:User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access
Issue summary:Question engine allows access to files that I should not be able to view
Severity/Risk:Minor
Versions affected:3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to
Leer más...

MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed

by Marina Glancy.  

...
Description:Access to mobile app using the old web service token should be revoked if the user changes the password
Issue summary:Users tokens should be invalidated when the user password is changed (or forced to)
Severity/Risk:Minor
Versions affected:3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and
Leer más...

MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

by Marina Glancy.  

...
Description:Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary:Event monitor notifications do not check user
Leer más...