Security announcements

MSA-17-0012: CSRF in number of courses displayed in the course overview block

 
Picture of Marina Glancy
MSA-17-0012: CSRF in number of courses displayed in the course overview block
 

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


Severity/Risk: Minor
Versions affected: 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed: 3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by: Lukas Schmidt
CVE identifier: CVE-2017-7491
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58740
Tracker issue: MDL-58740 CSRF on my/index.php