Description
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL.
Remediation
References
Related Vulnerabilities
Drupal Core 6.x Information Disclosure (6.0 - 6.30)
WebLogic CVE-2021-2075 Vulnerability (CVE-2021-2075)
WordPress Plugin Preview E-mails for WooCommerce Cross-Site Scripting (1.6.8)
SharePoint CVE-2020-0977 Vulnerability (CVE-2020-0977)
WordPress Plugin CardGate Payments for WooCommerce Security Bypass (3.1.15)