Boletines de Vulnerabilidades

MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users Dashboards

Información sobre el sistema
   
Software afectado PHP

Descripción
by Michael Hawkins. Users with the "login as other users" capability (such as administrators/managers) can access other users Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.Please note that for versions 3.1 and 3.4 only, this fix removes access to other users Dashboards while using the login-as functionality. Versions 3.5 and 3.6 have additional sanitizing implemented,

More info:

https://moodle.org/mod/forum/discuss.php?d=384010&parent=1547742

Identificadores estándar
Propiedad Valor
CVE CVE-2019-3847.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2019-03-20

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT