MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed

by Marina Glancy.  

...
Description:Access to mobile app using the old web service token should be revoked if the user changes the password
Issue summary:Users tokens should be invalidated when the user password is changed (or forced to)
Severity/Risk:Minor
Versions affected:3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and
Leer más...

MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

by Marina Glancy.  

...
Description:Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary:Event monitor notifications do not check user
Leer más...

MSA-16-0020: Text injection in email headers

by Marina Glancy.  

...
Description:By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary:User
Leer más...

MSA-16-0019: Glossary search displays entries without checking user permissions to view them

by Marina Glancy.  

...
Description:When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary:Possible to see glossary entries in courses you are not enrolled in
Severity/Risk:Minor
Versions affected:3.1
Versions fixed:3.1.1
Reported by:Mary Cooch
Issue no.:MDL-
Leer más...