MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users Dashboards
|
Información sobre el sistema
|
|
|
Software afectado |
PHP |
Descripción
|
von Michael Hawkins. Users with the "login as other users" capability (such as administrators/managers) can access other users Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.Please note that for versions 3.1 and 3.4 only, this fix removes access to other users Dashboards while using the login-as functionality. Versions 3.5 and 3.6 have additional sanitizing implemented,
More info:
https://moodle.org/mod/forum/discuss.php?d=384010&parent=1547742 |
Identificadores estándar
|
Propiedad |
Valor |
CVE |
CVE-2019-3847. |