MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts

by Michael Hawkins.  

An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data.


...
Severity/Risk:Serious
Versions affected:3.11 to 3.11.4
Versions fixed:3.11.5
Reported by:Paul Holden
CVE identifier:CVE-2022-0332
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=c
Leer más...

MSA-21-0042: IDOR in a calendar web service allows fetching of other users' action events

by Michael Hawkins.  

Insufficient capability checks made it possible to fetch other users' calendar action events.


...
Severity/Risk:Minor
Versions affected:3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:3.11.4, 3.10.8 and 3.9.11
Reported by:0xkasper
CVE identifier:CVE-2021-43560
Changes (master):http://git
Leer más...