MSA-17-0013: Missing permission check when adding forum post attachments in Web Services

由“Marina Glancy”.  

Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2 and 3.1 to 3.1.5
Versions fixed:3.2.3 and 3.1.6
Reported by:Juan Leyva
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=
Leer más...

MSA-17-0012: CSRF in number of courses displayed in the course overview block

由“Marina Glancy”.  

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to
Leer más...

MSA-17-0011: Searching of blogs possible without capability to do it

由“Marina Glancy”.  

Capability to search blogs was not checked properly resulting in users being able to search blogs without permission


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by:Daniel Kosinski
CVE
Leer más...

MSA-17-0010: External blog editing takeover

由“Marina Glancy”.  

User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6,
Leer más...