| Topic: | Course creator role has incorrect default permissions |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Ray Lawrence |
| Issue no.: | MDL-27994 |
| Solution: | Manually alter permissions in older sites to remove rights from course creators |
Description:
The default permission for course creators allowed them to alter course filters, which was an issue for users with mixed roles.
| Topic: | moodle_enrol_external:role_assign() does not obey role assignment restrictions |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-28350 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | avoid using web services |
Description:
Not all roles may be assigned by everybody in all contexts, but this was not being checked.
| Topic: | Continuation link can sometimes link offsite |
| Severity: | Minor |
| Versions affected: | < 1.9.13, < 2.0.4, < 2.1.1 |
| Reported by: | Matt Meisberger |
| Issue no.: | MDL-27464 |
| Solution: | upgrade to latest version |
| Workaround: | apply patch |
Description:
It was possible for error message links to lead offsite
| Topic: | Theme cache folder |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Matthew Davidson |
| Issue no.: | MDL-28147 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | apply Git patch |
Description:
When caching is incorrectly controlled by a theme, there was the potential for writing to a file system's temporary directory.
| Topic: | Cohort enrol plugin capability problems and missing cohort access control |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: |
MDL-28432 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | avoid using cohorts |
Description:
In order to securely control the creation and oversight of cohorts, additional capabilities have been introduced.
| Topic: | Ability to generate invalid records in the comments table in the database |
| Severity: | Major |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Sam Hemelryk |
| Issue no.: | MDL-26854 |
| Solution: | Upgrade to 2.0.3 |
| Workaround: | None - please upgrade as soon as possible |
Description:
This is a significant bug in the comments system which allows an authenticated user to fill the comments table in the database with completely invalid records.
| Topic: | Ability to fill a database with invalid records through ratings |
| Severity: | Major |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Sam Hemelryk |
| Issue no.: | MDL-26838 |
| Solution: | Upgrade to the latest version |
| Workaround: | None - please upgrade to the latest version as soon as possible |
Description:
It is possible if logged in as an authenticated user to generate invalid records within the rating table of the database, and if someone was intent on doing destruction they could write a script to spam the database.
| Topic: | Cross Site Scripting in multiple pages |
| Severity: | Major |
| Versions affected: | < 1.9.12 |
| Reported by: | Panagiotis Petasis |
| Issue no.: | MDL-26966 |
| Solution: | Upgrade to the latest version |
Description:
A vulnerability assessment done by the Acunetix Web Scanner revealed possible XSS vulnerabilities in pages of Moodle.
| Topic: | System user profile leaks email when maildisplay == 2 |
| Severity: | Major |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-26621 |
| Solution: | Upgrade to 2.0.3 |
| Workaround: | Disable email display in profiles |
Description:
Email addresses of users were being displayed on the full profile page when they had indicated it should appear to course members only.
| Topic: | Quiz review page does not check and enforce separate groups mode |
| Severity: | Major |
| Versions affected: | < 1.9.12 and < 2.0.3 |
| Reported by: | Claire Browne |
| Issue no.: | MDL-25122 |
| Solution: | Upgrade to the latest version |
| Workaround: | Remove permission to view quiz reports |
Description:
When a teacher is assigned to a group they can view quiz reports for all students, not just the students in their group.