MSA-19-0005: Logged in users could view all calendar events

by Michael Hawkins.  

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)


Severity/Risk:Serious
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7
Versions fixed:3.6.3, 3.5.5 and 3.4.8
Reported by:Juan Leyva
CVE identifier:CVE-2019-3848
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64830
Tracker issue:MDL-64830 Logged in users could view all calendar events

Read more https://moodle.org/mod/forum/discuss.php?d=384011&parent=1547743