This document contains an overview of historic security vulnabilities that have been reported by users and fixed since.
When adding content through the WYSIWYG editor in multiple locations
in the Courses module, it was possible to add malicious
Version affected: beta-2
Version fixed: 2.0.0
A theoretical XSS attach was possible through the
communityon login pages, of which the value was printed in the resulting HTML without sanitation. This type of attack is improbable as it would not have yielded any interesting information: the user wasn’t signed in yet.
- MEDIUMFIXED When entering an empty username in the login form of communities that use external LDAP authentication, a request to the LDAP would still be sent, which allowed a theoretical DDoS attach, as some LDAP servers have rate limiting based on the user that is singing in.