MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent account compromise

by Michael Hawkins.  

OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:CeDiS Team
Leer más...

MSA-19-0024: Assigned Role in Cohort did not un-assign on removal

by Michael Hawkins.  

When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:Yusuf Yilmaz, Mick Cassell
CVE identifier:CVE-2019-148
Leer más...

Re: MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins.  

Please note, this issue has been revisited in MDL-66683, as part of the latest minor releases. It appears this was not a bug, and that the original behaviour was the intended functionality. As this change was negatively impacting some course-creation workflows, the functionality has been reverted as of versions 3.7.3,...
Leer más...

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

by Michael Hawkins.  

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:John Couzins
Workaround:Set a different
Leer más...