MSA-21-0013: Quiz unreleased grade disclosure via web service

by Michael Hawkins.  

It was possible for a student to view their quiz grade before it had been released, using a quiz web service.


...
Severity/Risk:Serious
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8, 3.5 to 3.5.17 and earlier unsupported versions
Versions fixed:3.11, 3.10.4, 3.9.7, 3.8.9 and 3.5.18
Reported by:Nadav Kavalerchik
CVE
Leer más...

MSA-21-0012: Forum CSV export could result in posts from all courses being exported

by Michael Hawkins.  

Teachers exporting a forum in CSV format could receive a CSV of forums from all courses in some circumstances.


...
Severity/Risk:Serious
Versions affected:3.10 to 3.10.3, 3.9 to 3.9.6 and 3.8 to 3.8.8
Versions fixed:3.11, 3.10.4, 3.9.7 and 3.8.9
Reported by:Daniel Konrad
Workaround:Remove the Export Forum (mod/forum:exportforum)
Leer más...

MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities (upstream)

by Michael Hawkins.  

The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:Mike Henry
CVE identifiers:C
Leer más...

MSA-21-0010: Fetching a user's enrolled courses via web services did not check profile access in each course

by Michael Hawkins.  

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.


...
Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2,
Leer más...