Security Announcements

 
 
My ugly mug
MSA-12-0063: Information leak in Check Permissions page
 
Topic: Check Permissions page displays entire user base without moodle/role:manage capability
Severity/Risk: Minor
Versions affected: 2.3 to 2.3.2+
Reported by: Jody Steele
Issue no.: MDL-35381

CVE Identifier:

CVE-2012-5481
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381

Description:

The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.