Multiple security issues were fixed in the latest moodle release. MSA-17-0010 External blog editing takeover MSA-17-0011 Searching of blogs possible without capability to do it MSA-17-0012 CSRF in number of courses displayed in the course overview block MSA-17-0013 Missing permission check when adding forum post attachments in Web Services References: https://moodle.org/mod/forum/discuss.php?d=351987 https://docs.moodle.org/dev/Moodle_3.2.3_release_notes MSA-17-0010 = CVE-2017-7489 MSA-17-0011 = CVE-2017-7490 MSA-17-0012 = CVE-2017-7491 MSA-17-0013 = not known.
The vulnerable versions are off the tree.
CVE-2017-7491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7491): In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. CVE-2017-7490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7490): In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. CVE-2017-7489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7489): In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.