MSA-17-0012: CSRF in number of courses displayed in the course overview block

由“Marina Glancy”.  

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to
Register to read more...

MSA-17-0011: Searching of blogs possible without capability to do it

由“Marina Glancy”.  

Capability to search blogs was not checked properly resulting in users being able to search blogs without permission


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by:Daniel Kosinski
CVE
Register to read more...

MSA-17-0010: External blog editing takeover

由“Marina Glancy”.  

User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6,
Register to read more...

MSA-17-0009: XSS in attachments to evidence of prior learning

by Marina Glancy.  

...
Description:Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions
Issue summary:XSS in attachments to evidence of prior learning
Severity/Risk:Serious
Versions affected:3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed:3.2.2 and 3.1.5
Rep
Register to read more...