The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default).
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3 |
| Versions fixed: | 3.11 and 3.10.4 |
| Reported by: | Strifel |
| CVE identifier: | CVE-2021-32477 |
| Changes (master): | h |
A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload limits.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 |
| Reported by: | Ben Samtleben |
| CVE |
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions |
| Versions fixed: | 3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18 |
| Reported by: | Paul Holden |
| CVE |
An SQL injection risk existed on sites with MNet enabled and configured, via an XML-RPC call from the connected peer host. Note that this required site administrator access or access to the keypair.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported |