Bug 2116694 (CVE-2020-1754)

Summary: CVE-2020-1754 moodle: users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gwync, sergio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-31 23:55:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2116695, 2116696    
Bug Blocks:    

Description Sandipan Roy 2022-08-09 08:04:02 UTC 
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.

https://moodle.org/mod/forum/discuss.php?d=398350
Comment 1 Sandipan Roy 2022-08-09 08:04:21 UTC 
Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 2116695]
Comment 2 Sandipan Roy 2022-08-09 08:05:51 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-7 [bug 2116696]
Comment 3 Product Security DevOps Team 2022-08-31 23:55:16 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.