Security announcements

MSA-17-0015: Course creators are able to change system default settings for courses

 
Picture of Marina Glancy
MSA-17-0015: Course creators are able to change system default settings for courses
 

Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Thomas Jaisson
CVE identifier: CVE-2017-7532
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59409
Tracker issue: MDL-59409 Course creators are able to change system default settings for courses