Security announcements

MSA-17-0021: Students can find out email addresses of other students in the same course

 
Picture of Marina Glancy
MSA-17-0021: Students can find out email addresses of other students in the same course
 

Using search on Participants page students could search email addresses of all participants regardless of email visibility. This allows to enumerate and guess emails of other students


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.2, 3.2 to 3.2.5, 3.1 to 3.1.8 and earlier unsupported versions
Versions fixed: 3.4, 3.3.3, 3.2.6 and 3.1.9
Reported by: Tim Schroeder
Workaround: Prohibit capability 'moodle/course:viewparticipants' (View participants) for Student role until Moodle is upgraded
CVE identifier: CVE-2017-15110
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60550
Tracker issue: MDL-60550 Students can find out email addresses of other students who set theirs to "hidden"