MSA-17-0012: CSRF in number of courses displayed in the course overview block

由“Marina Glancy”.  

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


Severity/Risk:Minor
Versions affected:3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed:3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by:Lukas Schmidt
CVE identifier:CVE-2017-7491
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58740
Tracker issue:MDL-58740 CSRF on my/index.php

Read more https://moodle.org/mod/forum/discuss.php?d=352355&parent=1421789