MSA-17-0015: Course creators are able to change system default settings for courses

by Marina Glancy.  

Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.


Severity/Risk:Minor
Versions affected:3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed:3.3.1, 3.2.4 and 3.1.7
Reported by:Thomas Jaisson
CVE identifier:CVE-2017-7532
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59409
Tracker issue:MDL-59409 Course creators are able to change system default settings for courses

Read more https://moodle.org/mod/forum/discuss.php?d=355556&parent=1434236