| Description: | If the site-wide rules exist in the event monitor tool, any user can subscribe themselves to them and potentially access information they are not supposed to see. |
| Issue summary: | Any authenticated user can subscribe to site wide event monitor rules |
| Severity/Risk: | Minor |
| Versions affected: | 2.8 to 2.8.5 |
| Versions fixed: | 2.9 and 2.8.6 |
| Reported by: | Adrian Greeve |
| Issue no.: | MDL-50039 |
| Workaround: | Do not use site-wide rules until your site is upgraded |
| CVE identifier: | CVE-2015-3177 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039 |
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules
by Marina Glancy -
Number of replies: 0