Security announcements

MSA-17-0013: Missing permission check when adding forum post attachments in Web Services

 
Picture of Marina Glancy
MSA-17-0013: Missing permission check when adding forum post attachments in Web Services
 

Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.


Severity/Risk: Minor
Versions affected: 3.2 to 3.2.2 and 3.1 to 3.1.5
Versions fixed: 3.2.3 and 3.1.6
Reported by: Juan Leyva
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58259
Tracker issue: MDL-58259 Forum post Web Services should check if the user has permissions to add attachments