MSA-19-0012: Private files uploaded via incoming mail processing could bypass quota restrictions

by Michael Hawkins.  

The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.


Severity/Risk:Minor
Versions affected:3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed:3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:Guillermo Leon Alvarez Salamanca
Workaround:Disable the "Email to Private files" message handler until the fix is applied. This is disabled by default in Moodle.
CVE identifier:CVE-2019-10134
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61738
Tracker issue:MDL-61738 Private files uploaded via incoming mail processing could bypass quota restrictions

Read more https://moodle.org/mod/forum/discuss.php?d=386524&parent=1557998