Security announcements

MSA-17-0009: XSS in attachments to evidence of prior learning

 
Picture of Marina Glancy
MSA-17-0009: XSS in attachments to evidence of prior learning
 
Description: Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions
Issue summary: XSS in attachments to evidence of prior learning
Severity/Risk: Serious
Versions affected: 3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed: 3.2.2 and 3.1.5
Reported by: wez3
Issue no.: MDL-57597
CVE identifier: CVE-2017-2645
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57597