Description
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.
Remediation
References
Related Vulnerabilities
Artifactory Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2016-10036)
e107 Other Vulnerability (CVE-2006-3259)
MediaWiki Improper Restriction of XML External Entity Reference Vulnerability (CVE-2014-9487)
WordPress Plugin YITH WooCommerce Waiting List Security Bypass (1.3.9)
WordPress Plugin Stripe Payment for WooCommerce Cross-Site Scripting (3.5.9)