Bug 1264823

Summary: CVE-2015-5272 moodle: Group access is not properly checked when posting to "all participants" in forum (MSA-15-0031)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync, ignatenko, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 2.7.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-21 11:39:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Mariš 2015-09-21 10:09:32 UTC 
Group access is not properly checked when posting to "all participants" in forum which allows teacher without accessallgroups can still post to "all participants" and groups they're not members of. Affected versions are 2.7 to 2.7.9 and earlier unsupported versions.

Upstream patch:

https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576
Comment 1 Adam Mariš 2015-09-21 11:39:42 UTC 

*** This bug has been marked as a duplicate of bug 1264861 ***