MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course

by Marina Glancy.  

Description:Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary:Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk:Minor
Versions affected:3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed:3.1.1, 3.0.5 and 2.9.7
Reported by:Stuart R Mealor
Issue no.:MDL-53431
CVE identifier:CVE-2016-5014
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431

Read more https://moodle.org/mod/forum/discuss.php?d=336699&parent=1356861