Bugzilla – Bug 1012960
VUL-0: CVE-2016-8644: moodle: Incorrect capability check may have allowed users to view course notes
Last modified: 2017-02-01 16:27:46 UTC
bugbot adjusting priority
Public at https://moodle.org/mod/forum/discuss.php?d=343277
MSA-16-0025: Capability to view course notes is checked in the wrong context
Monday, November 21, 2016, 11:49 AM
Description: Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course
Issue summary: Notes has_capability check not called for correct context
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Andrew Nicols
Issue no.: MDL-51347
CVE identifier: CVE-2016-8644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347
Already fixed in
Our online Moodle 3.2.1 is not affected.
Checked the other moodle packages in Education: only the 3.1 and 3.2 versions are enabled - the rest is build disabled since a long time now and will get removed end of February.
=> Closing as fixed, thanks for keeping an eye on it.