Security announcements

MSA-12-0016: Default repository capabilities issue

 
My mug
MSA-12-0016: Default repository capabilities issue
 
Topic: authenticated user "view" capability set to "allow" for all repos
Severity: Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+
Reported by: Andrea Bicciolo

Workaround:

Manually change capability for repositories

Issue no.: MDL-30452

CVE Identifier:

CVE-2012-1157

Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=246c2cb8e5af71a7d7c605b8fc9f9563e0fb3bc4

Description:

Not all repositories are intended for student use, however all repositories were viewable by all users by default. This change will affect new installations only. Existing site admins should review their repository capabilities.