MSA-16-0020: Text injection in email headers

by Marina Glancy.  

...
Description:By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary:User
Leer más...

MSA-16-0019: Glossary search displays entries without checking user permissions to view them

by Marina Glancy.  

...
Description:When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary:Possible to see glossary entries in courses you are not enrolled in
Severity/Risk:Minor
Versions affected:3.1
Versions fixed:3.1.1
Reported by:Mary Cooch
Issue no.:MDL-
Leer más...

MSA-16-0018: CSRF in script marking forum posts as read

by Marina Glancy.  

...
Description:CSRF possible in the URL that marks forum posts as read
Issue summary:Forum markposts.php missing sesskey check
Severity/Risk:Minor
Versions affected:3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:Andrew Nicols
Issue
Leer más...

MSA-16-0017: Course idnumber not protected from teacher restore

by Marina Glancy.  

...
Description:During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary:Course idnumber not protected from teacher restore
Severity/Risk:Minor
Versions affected:3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:3.0
Leer más...