The reporting (http://www.coventrytelegraph.net/news/coventry-news/coventry-university-students-left-vulnerable-12080500) on this suggests a big scary hack at the university, but actually it's more of a good-news story about how vigilent our students are.
Internally, this got quite complicated, but the essence of it is:
- Students found a potential vulnerability in a Moodle plugin
- This is a vulnerability that affects any Moodle instance with the plugin - at Coventry or anywhere else.
- Students also provided a fix, which has since been incorporated into the plugin by the author.
- Very little data was actually at risk - lecture notes, test scores, but nothing like passwords or personal details.
- So, this was a potential risk of session hijacking under quite specific conditions.
- No privilege escalation!