| Description: | Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access. |
| Issue summary: | Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled) |
| Severity/Risk: | Minor |
| Versions affected: | 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12 |
| Versions fixed: | 3.1.1, 3.0.5 and 2.9.7 |
| Reported by: | Stuart R Mealor |
| Issue no.: | MDL-53431 |
| CVE identifier: | CVE-2016-5014 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431 |
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
by Marina Glancy -
Number of replies: 0