MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities (upstream)

by Michael Hawkins.  

The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:Mike Henry
CVE identifiers:C
Leer más...

MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course

by Michael Hawkins.  

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2,
Leer más...

MSA-21-0009: Bypass email verification secret when confirming account registration

by Michael Hawkins.  

When creating a user account, it was possible to verify the account without having access to the verification email link/secret.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:Bandjes
CVE
Leer más...

MSA-21-0008: User full name disclosure within online users block

by Michael Hawkins.  

It was possible for some users without permission to view other users' full names to do so via the online users block.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:Ankit Agarwal
Workarou
Leer más...