Hi Everyone,
I have just been made aware of this issue from a colleague however, I cannot find any further information on the issue i.e. how to recreate or test is the issue is still available.
Does this still affect version 3.5.10 or has this been resolved?
Thanks
Looking at the tracker issue (MOBILE-3163 - restricted to people in the security group).
* It is a bug in the mobile app, not in the Moodle server. Fixed in version 3.7.2 of the mobile app, and given the way app stores work, probably most people will probably already have the upgrade. (3.7.2 was released 20 September 2019)
* If I understand correctly, to exploit the vulnerability requires something malicious to be set up on the Moodle server, and that can only be set up by someone with editing teacher permissions.
So: you are only at risk if:
* You have users using a version of the mobile app < 3.7.2
* You have users with editing teacher rights who cannot be trusted.
So, probably low risk.
* It is a bug in the mobile app, not in the Moodle server. Fixed in version 3.7.2 of the mobile app, and given the way app stores work, probably most people will probably already have the upgrade. (3.7.2 was released 20 September 2019)
* If I understand correctly, to exploit the vulnerability requires something malicious to be set up on the Moodle server, and that can only be set up by someone with editing teacher permissions.
So: you are only at risk if:
* You have users using a version of the mobile app < 3.7.2
* You have users with editing teacher rights who cannot be trusted.
So, probably low risk.