Topic: | User account disclosure in LAMS module |
Severity/Risk: | Major |
Versions affected: | <1.8.11 and <1.9.7 |
Reported by: | internal code review |
Issue no.: | MDL-20924 |
Solution: | upgrade to 1.8.11 or 1.9.7 |
Workaround: | uninstall module and delete mod/lams directory |
Description:
LAMS module code discloses username, firstname and lastname database fields from user table. This information could be used in other types of attacks.