MSA-21-0031: Messaging email notifications containing HTML may hide the final line of the email

by Michael Hawkins.  

In some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.


...
Severity/Risk:Minor
Versions affected:3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed:3.11.1, 3.10.5 and 3.9.8
Reported by:i_am_nobody
CVE
Leer más...

MSA-21-0030: Insufficient escaping of users' names in account confirmation email

by Michael Hawkins.  

Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.


...
Severity/Risk:Minor
Versions affected:3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed:3.11.1, 3.10.5 and 3.9.8
Reported by:Babar Khan Akhunzada
CVE identifier:CVE-2021-3
Leer más...

MSA-21-0029: Stored XSS when exporting to data formats supporting HTML via user ID number

by Michael Hawkins.  

ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk. Note that the XSS was part of the locally downloaded file and not on the Moodle site's domain.


...
Severity/Risk:Minor
Versions affected:3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed:3.1
Leer más...

MSA-21-0028: IDOR allows removal of other users' calendar URL subscriptions

by Michael Hawkins.  

Insufficient capability checks made it possible to remove other users' calendar URL subscriptions.


...
Severity/Risk:Minor
Versions affected:3.11, 3.10 to 3.10.4, 3.9 to 3.9.7 and earlier unsupported versions
Versions fixed:3.11.1, 3.10.5 and 3.9.8
Reported by:Floerer
CVE identifier:CVE-2021-36400
Changes (master):http://git.moodle.
Leer más...