Authenticated user are allowed to add HTML blocks containing scripts to their Dashboard and this is normally not a security issue because personal dashboard is visible to this user only. Through this security vulnerability users can move such block to other pages where they can be viewed by other users.
| Severity/Risk: | Serious |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Brendan Cox |
| Workaround: | Prohibit capability 'moodle/my:manageblocks' from Authenticated user role until the fix is applied |
| CVE identifier: | CVE-2018-1136 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62206 |
| Tracker issue: | MDL-62206 User can shift a block from Dashboard to any page |