Description: This release addresses a set of security vulnerabilities identified in the quizaccess_proview plugin. This release also addresses a bug reported by CyberCX in the Proview Recordings page within Moodle LMS. You can download the latest version here.Documentation Index
Fetch the complete documentation index at: https://docs.talview.com/llms.txt
Use this file to discover all available pages before exploring further.
βοΈ Improvements / Enhancements
- Sentry telemetry is now opt-in
Third-party error telemetry (Sentry) is now disabled by default. Site admins can enable it explicitly from plugin settings. Additionally, Sentry will only initialise for quizzes where Proview is actively configured - not for all quiz page views site-wide. - Enable Password Injection setting A new Enable Password Injection checkbox is now available in the Proview Proctoring Settings section of the quiz settings page. When checked, the quiz password configured by the instructor is automatically injected for the student, and proctoring preflight checks begin immediately. When unchecked, students are prompted to manually enter the password before proceeding. This gives instructors explicit control over how password validation is handled in their proctored quizzes.
π Bug Fixes
- Sensitive API data exposed in browser console API responses were being injected into the browser console during production quiz sessions, potentially exposing bearer tokens, session IDs, and proctor credentials to any authenticated user via browser dev tools. This has been resolved - API response payloads are no longer sent to the browser console.
- Quiz password bypass via direct URL access Students could bypass a quiz password by navigating directly to
frame.php, which was unconditionally marking the password as satisfied without validating it. Password validation is now properly enforced through Moodleβs standard access flow before the Proview session can be initiated. - Unenrolled users could access Proview flow Any authenticated Moodle user could access
frame.phpfor any proctored quiz, regardless of course enrolment. The page now enforces course enrolment and quiz access capability checks before initiating the Proview session - unenrolled or unauthorised users are blocked before the proctoring flow begins. - Proview Recordings list capped at 100 sessions The Proview Recordings page was limiting the display to a maximum of 100 sessions with no option to paginate further. Reviewers were unable to access or view recordings beyond the first 100 sessions. This has now been resolved - pagination is supported, allowing reviewers to navigate through all sessions regardless of count.
π Known Issues
- Proview token stored in plaintext - The
proview_tokenfield is currently stored unencrypted in the database. If tokens are reusable across sessions, a database compromise could expose valid Proview authorisation material. This is a known limitation and will be addressed in a future release.