| Topic: | System user profile leaks email when maildisplay == 2 |
| Severity: | Major |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-26621 |
| Solution: | Upgrade to 2.0.3 |
| Workaround: | Disable email display in profiles |
Description:
Email addresses of users were being displayed on the full profile page when they had indicated it should appear to course members only.
| Topic: | Quiz review page does not check and enforce separate groups mode |
| Severity: | Major |
| Versions affected: | < 1.9.12 and < 2.0.3 |
| Reported by: | Claire Browne |
| Issue no.: | MDL-25122 |
| Solution: | Upgrade to the latest version |
| Workaround: | Remove permission to view quiz reports |
Description:
When a teacher is assigned to a group they can view quiz reports for all students, not just the students in their group.
| Topic: | "Force password change" not happening |
| Severity: | Minor |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Stephen Overall |
| Issue no.: | MDL-26803 |
| Solution: | Upgrade to 2.0.3 |
| Workaround: | After uploading users via CSV, force password change using bulk user actions |
Description:
This vulnerability allows new users, who were added via CSV, access without being required to change their password.
| Topic: | Multiple cross-site scripting problems in media filter |
| Severity: | Major |
| Versions affected: | <1.9.11 and <2.0.2 |
| Reported by: | Internal code review |
| Issue no.: | MDL-26030 |
| Solution: | Upgrade to latest version |
| Workaround: | Disable media filter |
Description:
Incorrect text escaping in media filter could allow authenticated users to launch cross-site scripting attacks.
| Topic: | Incorrect default for mod:course/delete capability in teacher role |
| Severity: | Potential problem |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | Patrick Pollet |
| Issue no.: | MDL-25672 |
| Solution: | Fix teacher role permissions manually |
Description:
By default in new installations teachers were allowed to delete courses.
| Topic: | My profile block may disclose private information if used in user context |
| Severity: | Minor |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | Internal code review |
| Issue no.: | MDL-26034 |
| Solution: | Upgrade to latest version |
| Workaround: | Uninstall the myprofile block and delete block/myprofile files |
Description:
The My profile block could allow disclosure of private information when placed on pages in the user context. The block was changed to show only current user information.
| Topic: | IMS enterprise enrolment file may disclose sensitive information |
| Severity: | Major |
| Versions affected: | <1.9.11 and <2.0.2 |
| Reported by: | Internal code review |
| Issue no.: | MDL-26189 |
| Solution: | Upgrade to latest version |
| Workaround: | Move the imsenterprise-enrol.xml file outside of the course files area |
Description:
Putting the IMS enterprise enrol file in the course files area may result in disclosure of sensitive information.
| Topic: | Cross-site scripting vulnerability in course tags |
| Severity: | Major |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | Internal code review |
| Issue no.: | MDL-26196 |
| Solution: | Upgrade to latest version |
| Workaround: | Disable tags |
Description:
We have discovered a missing parameter validation in course tag code, this could allow attacker to launch cross-site scripting attack.
| Topic: | Cross-site request forgery and missing access control in course completion |
| Severity: | Major |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | Internal code review |
| Issue no.: | MDL-26198 |
| Solution: | Upgrade to latest version |
| Workaround: | Disable course completion |
Description:
We have discovered several problems in the course completion code during code review which could allow an attacker to mark activities and courses as completed.
| Topic: | Cross-site scripting vulnerability in spikephpcoverage |
| Severity: | Major |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | AutoSec Tools |
| Issue no.: | MDL-26237 |
| Solution: | Upgrade to latest version |
| Workaround: | Delete lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php and lib/spikephpcoverage/src/phpcoverage.remote.bottom.inc.php |
Description:
AutoSec Tools published a report of cross-site scripting vulnerability in a bundled spikephpcoverage library.