MSA-17-0006: User fullname disclosure on user preferences page

MSA-17-0006: User fullname disclosure on user preferences page

by Marina Glancy -
Number of replies: 0

Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Andreas Grabs
CVE identifier: CVE-2017-2642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56565
Tracker issue: MDL-56565 User fullname disclosure on user preferences page