Vulnerability Bulletins

MSA-21-0008: User full name disclosure within online users block


System information

   
Affected software PHP

Description

by Michael Hawkins. It was possible for some users without permission to view other users full names to do so via the online users block.Severity/Risk:MinorVersions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versionsVersions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17Reported by:Ankit AgarwalWorkaround:Hide the online users block (via Site administration > Plugins > Blocks > Manage blocks) until the patch has been applied.CVE

More info:

https://moodle.org/mod/forum/discuss.php?d=419652&parent=1691268

Standar resources

Property Value
CVE CVE-2021-20281.

Version history

Version Comments Date
1.0 Advisory issued 2021-03-16
Ministerio de Defensa
CNI
CCN
CCN-CERT