MSA-17-0006: User fullname disclosure on user preferences page

by Marina Glancy.  

Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names


...
Severity/Risk:Minor
Versions affected:3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed:3.3.1, 3.2.4 and 3.1.7
Reported by:Andreas Grabs
CVE identifier:CVE-2017-264
Leer más...

MSA-17-0013: Missing permission check when adding forum post attachments in Web Services

由“Marina Glancy”.  

Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2 and 3.1 to 3.1.5
Versions fixed:3.2.3 and 3.1.6
Reported by:Juan Leyva
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=
Leer más...

MSA-17-0012: CSRF in number of courses displayed in the course overview block

由“Marina Glancy”.  

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to
Leer más...

MSA-17-0011: Searching of blogs possible without capability to do it

由“Marina Glancy”.  

Capability to search blogs was not checked properly resulting in users being able to search blogs without permission


...
Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by:Daniel Kosinski
CVE
Leer más...