MSA-18-0008: Users can download any file via portfolio assignment caller class

by Marina Glancy.  

Students who submitted assignments and exported it to portfolios can download any stored Moodle file by changing download URL


Severity/Risk:Minor
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:Brendan Cox
Workaround:Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier:CVE-2018-1134
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62210
Tracker issue:MDL-62210 Users can download any file via portfolio assignment caller class

Read more https://moodle.org/mod/forum/discuss.php?d=371200&parent=1496354