Description: | If the site-wide rules exist in the event monitor tool, any user can subscribe themselves to them and potentially access information they are not supposed to see. |
Issue summary: | Any authenticated user can subscribe to site wide event monitor rules |
Severity/Risk: | Minor |
Versions affected: | 2.8 to 2.8.5 |
Versions fixed: | 2.9 and 2.8.6 |
Reported by: | Adrian Greeve |
Issue no.: | MDL-50039 |
Workaround: | Do not use site-wide rules until your site is upgraded |
CVE identifier: | CVE-2015-3177 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039 |
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules
par Marina Glancy,
Nombre de réponses : 0