Boletines de Vulnerabilidades

MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

Información sobre el sistema
   
Software afectado PHP

Descripción
von Michael Hawkins. Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.Severity/Risk:SeriousVersions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versionsVersions fixed:3.6.3, 3.5.5 and 3.4.8Reported by:Brendan CoxCVE identifier:CVE-2019-3849Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702Tracker issue:MDL-62702

More info:

https://moodle.org/mod/forum/discuss.php?d=384012&parent=1547744

Identificadores estándar
Propiedad Valor
CVE CVE-2019-3849.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2019-03-20

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT