Boletines de Vulnerabilidades

MSA-23-0011: Teacher can access names of users they do not have permission to access

Información sobre el sistema
   
Software afectado PHP

Descripción
par Michael Hawkins. Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.Severity/Risk:MinorVersions affected:4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versionsVersions fixed:4.1.2, 4.0.7, 3.11.13 and 3.9.20Reported by:DegrangeMCVE identifier:CVE-2023-28336Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76809Tracker

More info:

https://moodle.org/mod/forum/discuss.php?d=445068&parent=1788901

Identificadores estándar
Propiedad Valor
CVE CVE-2023-28336.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2023-06-22

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT