Boletines de Vulnerabilidades

MSA-18-0009: Portfolio forum caller class allows a user to download any file

Información sobre el sistema
   
Software afectado PHP

Descripción
di Marina Glancy. Students who posted on forum and exported the post to portfolios can download any stored Moodle file by changing download URLSeverity/Risk:MinorVersions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versionsVersions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12Reported by:Brendan CoxWorkaround:Disable portfolios until the fix is applied. Portfolios are disabled by default in MoodleCVE identifier:CVE-2018-1135Changes

More info:

https://moodle.org/mod/forum/discuss.php?d=371201&parent=1496355

Identificadores estándar
Propiedad Valor
CVE CVE-2018-1135.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2018-11-16

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT