Description

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.

Remediation

References

CVE-2016-2158

Related Vulnerabilities

WordPress Plugin Calendar Event Multi View SQL Injection (1.01)

Perl Out-of-bounds Write Vulnerability (CVE-2018-18311)

e107 Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2011-4947)

MySQL CVE-2020-14776 Vulnerability (CVE-2020-14776)

WordPress 4.0.x Cross-Domain Flash Injection Vulnerability (4.0 - 4.0.21)

Severity

Medium

Classification

CVE-2016-2158 CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities