MSA-20-0018: Some database module web services did not respect group settings

by Michael Hawkins.  

Some database module web services allowed students to add entries within groups they did not belong to.


...
Severity/Risk:Minor
Versions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions
Versions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by:Dani Palou
CVE identifier:CVE-2020
Leer más...

MSA-20-0017: Privilege escalation within a course when restoring role overrides

by Michael Hawkins.  

Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.


...
Severity/Risk:Minor
Versions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions
Versions fixed:3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Rep
Leer más...

MSA-20-0016: Teacher is able to unenrol users without permission using course restore

by Michael Hawkins.  

Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.


...
Severity/Risk:Minor
Versions affected:3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions
Versions
Leer más...

MSA-20-0015: Chapter name in book not always escaped with forceclean enabled

von Michael Hawkins.  

It was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page.

Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean...

Leer más...