MSA-17-0013: Missing permission check when adding forum post attachments in Web Services

由“Marina Glancy”.  

Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2 and 3.1 to 3.1.5
Versions fixed:3.2.3 and 3.1.6
Reported by:Juan Leyva
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=
Register to read more...

MSA-17-0012: CSRF in number of courses displayed in the course overview block

由“Marina Glancy”.  

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to
Register to read more...

MSA-17-0011: Searching of blogs possible without capability to do it

由“Marina Glancy”.  

Capability to search blogs was not checked properly resulting in users being able to search blogs without permission


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by:Daniel Kosinski
CVE
Register to read more...

MSA-17-0010: External blog editing takeover

由“Marina Glancy”.  

User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6,
Register to read more...