MSA-19-0004: Log in as functionality exposed to JavaScript risk on other users' Dashboards

by Michael Hawkins.  

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this...

Leer más...

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

by Michael Hawkins.  

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2
Versions fixed:3.6.3
Reported by:Andrew Nicols
CVE identifier:CVE-2019-3852
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&
Leer más...

MSA-19-0003: User full name is not escaped in the un-linked userpix page

by Michael Hawkins.  

The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions
Leer más...