Boletines de Vulnerabilidades

MSA-19-0003: User full name is not escaped in the un-linked userpix page

Información sobre el sistema
   
Software afectado PHP

Descripción
von Michael Hawkins. The /userpix/ page did not escape users full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.Severity/Risk:MinorVersions affected:3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versionsVersions fixed:3.6.2, 3.5.4, 3.4.7 and 3.1.16Reported by:Fariskhi VidyanCVE identifier:CVE-2019-3810Changes

More info:

https://moodle.org/mod/forum/discuss.php?d=381230&parent=1536767

Identificadores estándar
Propiedad Valor
CVE CVE-2019-3810.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2019-03-20

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT