Boletines de Vulnerabilidades

MSA-19-0005: Logged in users could view all calendar events

Información sobre el sistema
   
Software afectado PHP

Descripción
von Michael Hawkins. Permissions were not correctly checked before loading event information into the calendars edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)Severity/Risk:SeriousVersions affected:3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7Versions fixed:3.6.3, 3.5.5 and 3.4.8Reported by:Juan LeyvaCVE identifier:CVE-2019-3848Changes

More info:

https://moodle.org/mod/forum/discuss.php?d=384011&parent=1547743

Identificadores estándar
Propiedad Valor
CVE CVE-2019-3848.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2019-03-20

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT