Bug 1515704 (CVE-2017-15110)

Summary: CVE-2017-15110 moodle: Students can find out email addresses of other students in the same course
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 3.4, moodle 3.3.3, moodle 3.2.6, moodle 3.1.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:31:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1515705, 1515706    
Bug Blocks:    

Description Andrej Nemec 2017-11-21 09:15:55 UTC 
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.

External References:

https://moodle.org/mod/forum/discuss.php?d=361784

Upstream patch:

https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60550
Comment 1 Andrej Nemec 2017-11-21 09:16:21 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 1515705]
Affects: fedora-all [bug 1515706]
Comment 2 Product Security DevOps Team 2019-06-08 03:31:17 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.