MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

by Marina Glancy.  

Description:Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary:Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Versions affected:3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed:3.1.1, 3.0.5 and 2.9.7
Reported by:Stuart R Mealor
Issue no.:MDL-53431
CVE identifier:CVE-2016-5014
Changes (master):

Read more