MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course

by Michael Hawkins.  

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.


Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:Paul Holden
CVE identifier:CVE-2021-20283
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822
Tracker issue:MDL-70822 Fetching a user's enrolled courses via web services did not check profile access in each course

Read more https://moodle.org/mod/forum/discuss.php?d=419654&parent=1691273