Security announcements

MSA-17-0006: User fullname disclosure on user preferences page

 
Picture of Marina Glancy
MSA-17-0006: User fullname disclosure on user preferences page
 

Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Andreas Grabs
CVE identifier: CVE-2017-2642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56565
Tracker issue: MDL-56565 User fullname disclosure on user preferences page