WEB APPLICATION VULNERABILITIES Standard & Premium

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-2266)

Description

message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL.

Remediation

References

Related Vulnerabilities

MySQL CVE-2017-10365 Vulnerability (CVE-2017-10365)

WordPress Plugin Toolset Types-Custom Post Types, Custom Fields and Taxonomies Multiple Unspecified Vulnerabilities (2.2.2)

Jboss EAP Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2014-0248)

WordPress Plugin WordPress Easy Custom Js And Css Cross-Site Scripting (1.1.2)

Drupal Core 7.x Security Bypass (7.0 - 7.68)

Severity

Medium

Classification

CVE-2015-2266 CWE-200

Tags

Missing Update Known Vulnerabilities