MSA-16-0016: User can view badges of other users without proper permissions

by Marina Glancy.  

...
Description:Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed
Issue summary:Badges code checks viewotherbadges capability in the wrong context
Severity/Risk:Minor
Versions affected:3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier
Leer más...

MSA-16-0015: Information disclosure of hidden forum names and sub-names.

by Marina Glancy.  

...
Description:Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page
Issue summary:Information disclosure of hidden forum names and sub-names.
Severity/Risk:Minor
Versions affected:3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed:3.0.4, 2.9.6 and
Leer más...


MSA-16-0013: Users are able to change profile fields that were locked by the administrator

by Marina Glancy.  

...
Description:User editing form only disabled the profile fields in UI and did not actually prevent users from editing them
Issue summary:Tricky users can change locked profile fields
Severity/Risk:Minor
Versions affected:3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:3.0.4
Leer más...