MSA-21-0008: User full name disclosure within online users block

by Michael Hawkins.  

It was possible for some users without permission to view other users' full names to do so via the online users block.


Severity/Risk:Minor
Versions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions
Versions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by:Ankit Agarwal
Workaround:Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied.
CVE identifier:CVE-2021-20281
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293
Tracker issue:MDL-59293 User full name disclosure within online users block

Read more https://moodle.org/mod/forum/discuss.php?d=419652&parent=1691268