Boletines de Vulnerabilidades

MSA-21-0010: Fetching a users enrolled courses via web services did not check profile access in each course

Información sobre el sistema
   
Software afectado PHP

Descripción
by Michael Hawkins. The web service responsible for fetching other users enrolled courses did not validate that the requesting user had permission to view that information in each course.Severity/Risk:MinorVersions affected:3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versionsVersions fixed:3.10.2, 3.9.5, 3.8.8 and 3.5.17Reported by:Paul HoldenCVE identifier:CVE-2021-20283Changes

More info:

https://moodle.org/mod/forum/discuss.php?d=419654&parent=1691273

Identificadores estándar
Propiedad Valor
CVE CVE-2021-20283.

Histórico de versiones
Versión Comentario Fecha
1.0 Advisory issued 2021-03-16

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT