MSA-18-0010: User can shift a block from Dashboard to any page

by Marina Glancy.  

Authenticated user are allowed to add HTML blocks containing scripts to their Dashboard and this is normally not a security issue because personal dashboard is visible to this user only. Through this security vulnerability users can move such block to other pages where they can be viewed by other users.


Severity/Risk:Serious
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:Brendan Cox
Workaround:Prohibit capability 'moodle/my:manageblocks' from Authenticated user role until the fix is applied
CVE identifier:CVE-2018-1136
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62206
Tracker issue:MDL-62206 User can shift a block from Dashboard to any page

Read more https://moodle.org/mod/forum/discuss.php?d=371202&parent=1496356