Boletines de Vulnerabilidades

MSA-17-0021: Students can find out email addresses of other students in the same course

Información sobre el sistema
   
Software afectado PHP

Descripción
by Marina Glancy. Using search on Participants page students could search email addresses of all participants regardless of email visibility. This allows to enumerate and guess emails of other studentsSeverity/Risk:MinorVersions affected:3.3 to 3.3.2, 3.2 to 3.2.5, 3.1 to 3.1.8 and earlier unsupported versionsVersions fixed:3.4, 3.3.3, 3.2.6 and 3.1.9Reported by:Tim SchroederWorkaround:Prohibit capability moodle/course:viewparticipants (View participants) for Student role until Moodle is

More info:

https://moodle.org/mod/forum/discuss.php?d=361784&parent=1458930

Identificadores estándar
Propiedad Valor
CVE CVE-2017-1511.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2017-11-20

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT