MSA-18-0015: Web service core_course_get_categories may return invisible categories

by Michael Hawkins.  

It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. Note this only affects cases where a user has access to manage categories, but does not also have permission to view hidden categories.


...
Severity/Risk:Minor
Versions affected:3.5
Register to read more...

MSA-18-0014: Privacy data exports include log data

by Michael Hawkins.  

No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester. Note this may be a serious privacy consideration for sites processing data exports.


...
Severity/Risk:Minor
Versions affected:3.5, 3.4.3, 3.3 to 3.3.6
Versions fixed:3.5.1, 3.4.4, 3.3.7
Reported by:
Register to read more...

MSA-18-0012: Portfolio script allows instantiation of class chosen by user

by Marina Glancy.  

Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack


...
Severity/Risk:Serious
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and
Register to read more...

MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access

by Marina Glancy.  

Site policies agreement is not checked for logged in users who browse front page and activities on it


...
Severity/Risk:Minor
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:Marina Glancy
Changes (master):http://g
Register to read more...