Moodle.org: MSA-15-0025: Capability to manage own files is not respected in Web Services

Security announcements

by Marina Glancy - Monday, May 18, 2015, 9:05 AM

Description:	Users with the revoked capability 'moodle/user:manageownfiles' are still able to upload private files using deprecated function in Web Services
Issue summary:	Users with the manageownfiles disabled are able to upload private files via Web Services
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Juan Leyva
Issue no.:	MDL-49994
CVE identifier:	CVE-2015-3181
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994