Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 |
| Versions fixed: | 3.3.1 |
| Reported by: | Charles Fulton |
| CVE identifier: | CVE-2017-7531 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59304 |
| Tracker issue: | MDL-59304 Course overview block reveals activities in hidden courses |
Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Andreas Grabs |
| CVE identifier: | CVE-2017-2642 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56565 |
| Tracker issue: | MDL-56565 User fullname disclosure on user preferences page |
Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2 and 3.1 to 3.1.5 |
| Versions fixed: | 3.2.3 and 3.1.6 |
| Reported by: | Juan Leyva |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58259 |
| Tracker issue: | MDL-58259 Forum post Web Services should check if the user has permissions to add attachments |
The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, 3.0.10 and 2.7.20 |
| Reported by: | Lukas Schmidt |
| CVE identifier: | CVE-2017-7491 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58740 |
| Tracker issue: | MDL-58740 CSRF on my/index.php |
Capability to search blogs was not checked properly resulting in users being able to search blogs without permission
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, 3.0.10 and 2.7.20 |
| Reported by: | Daniel Kosinski |
| CVE identifier: | CVE-2017-7490 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58670 |
| Tracker issue: | MDL-58670 Users can search blogs by typing full url in address bar even with capability moodle/blog:search removed from their role |
User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, 3.0.10 and 2.7.20 |
| Reported by: | Vuk Ivanovic |
| CVE identifier: | CVE-2017-7489 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58635 |
| Tracker issue: | MDL-58635 External blog editing takeover |
| Description: | Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions |
| Issue summary: | XSS in attachments to evidence of prior learning |
| Severity/Risk: | Serious |
| Versions affected: | 3.2 to 3.2.1 and 3.1 to 3.1.4 |
| Versions fixed: | 3.2.2 and 3.1.5 |
| Reported by: | wez3 |
| Issue no.: | MDL-57597 |
| CVE identifier: | CVE-2017-2645 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57597 |
| Description: | Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence |
| Issue summary: | XSS in evidence of prior learning |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.1 and 3.1 to 3.1.4 |
| Versions fixed: | 3.2.2 and 3.1.5 |
| Reported by: | Jaymark Pestaño |
| Issue no.: | MDL-57596 |
| CVE identifier: | CVE-2017-2644 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57596 |
| Description: | Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed) |
| Issue summary: | Global search display user names, for unauthenticated user search |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.1 |
| Versions fixed: | 3.2.2 |
| Reported by: | Nadav Kavalerchik |
| Issue no.: | MDL-56526 |
| CVE identifier: | CVE-2017-2643 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56526 |
| Description: | PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services. |
| Issue summary: | Remote Code Execution @ 3.2.1 |
| Severity/Risk: | Serious |
| Versions affected: | 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions |
| Versions fixed: | 3.2.2, 3.1.5, 3.0.9 and 2.7.19 |
| Reported by: | Netanel Rubin |
| Issue no.: | MDL-58010 |
| CVE identifier: | CVE-2017-2641 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010 |