MSA-20-0002: Grade history report does not respect Separate groups mode in the course settings

by Michael Hawkins.  

Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.


...
Severity/Risk:Minor
Versions affected:3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions
Versions fixed:3.8.2, 3.7.5, 3.6.9 and 3.5.11
R
Leer más...


MSA-19-0029: Reflected XSS possible from some fatal error messages

by Michael Hawkins.  

Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:Yuriy Dyachenko
CVE identifier:CVE-2019-14884
Changes (master):http://git
Leer más...

MSA-19-0028: Email media URL tokens were not checking for user status

by Michael Hawkins.  

Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.2 and 3.6 to 3.6.6
Versions fixed:3.7.3 and 3.6.7
Reported by:Juan Leyva
C
Leer más...