An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
NOTE: Please pay particular attention to this fix. Information was recently released online about this vulnerability by third parties, so please upgrade or...
The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions |
| Versions fixed: | 3.11.5, 3.10.9 and 3.9.12 |
| Reported by: | Ostapbender |
| CVE identifier: | CVE-2022-0335 |
| Changes |
Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions |
| Versions fixed: | 3.11.5, 3.10.9 and 3.9.12 |
| Reporte |
The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.
| Severity/Risk: | Minor |
| Versions affected: | 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions |
| Versions fixed: | 3.11.5, 3.10.9 and 3.9.12 |
| Reported |