MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

by Michael Hawkins.  

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions
Versions fixed:3.6.3, 3.5.5 and 3.4.8
Reported by:Brendan Cox
CVE
Leer más...


MSA-19-0004: Log in as functionality exposed to JavaScript risk on other users' Dashboards

by Michael Hawkins.  

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this...

Leer más...

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

by Michael Hawkins.  

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2
Versions fixed:3.6.3
Reported by:Andrew Nicols
CVE identifier:CVE-2019-3852
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&
Leer más...