Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
Severity/Risk: | Minor |
Versions affected: | 3.11 to 3.11.5, 3.10 to 3.10.9, 3.9 to 3.9.12 and earlier unsupported versions |
Versions fixed: | 3.11.6, 3.10.10 and 3.9.13 |
Reported by: | Andrew Lyons |
Workaround: | Remove the moodle/badges:configurecriteria capability from users to prevent them accessing the relevant functionality until the patch is applied. |
CVE identifier: | CVE-2022-0984 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74075 |
Tracker issue: | MDL-74075 Possible to reach the profile field badge criteria on a course page |
Read more https://moodle.org/mod/forum/discuss.php?d=432949&parent=1742075