MSA-17-0015: Course creators are able to change system default settings for courses

by Marina Glancy.  

Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.


...
Severity/Risk:Minor
Versions affected:3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed:3.3.1, 3.2.4 and 3.1.7
Reported by:Thomas Jaisson
CVE
Register to read more...

MSA-17-0014: Course overview block reveals activities in hidden courses

by Marina Glancy.  

Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.


...
Severity/Risk:Minor
Versions affected:3.3
Versions fixed:3.3.1
Reported by:Charles Fulton
CVE identifier:CVE-2017-7531
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HE
Register to read more...

MSA-17-0006: User fullname disclosure on user preferences page

by Marina Glancy.  

Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names


...
Severity/Risk:Minor
Versions affected:3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed:3.3.1, 3.2.4 and 3.1.7
Reported by:Andreas Grabs
CVE identifier:CVE-2017-264
Register to read more...

MSA-17-0013: Missing permission check when adding forum post attachments in Web Services

由“Marina Glancy”.  

Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2 and 3.1 to 3.1.5
Versions fixed:3.2.3 and 3.1.6
Reported by:Juan Leyva
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=
Register to read more...