Topic: | Cross Site Request Forgery (CSRF) in messaging setting |
Severity: | Major |
Versions affected: | < 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3 |
Reported by: | internal code review |
Issue no.: | MDL-16688 |
Solution: | update to latest releases |
Description:
The messaging settings page was exposed to a CSRF vulnerability because it wasn't protected by the sesskey mechanism.