Description

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Remediation

References

CVE-2021-20283

Related Vulnerabilities

Sqlite NULL Pointer Dereference Vulnerability (CVE-2019-19242)

WordPress Plugin Automatic Online Backup 'url' Parameter Cross-Site Scripting (0.8.2)

IBM WebSEAL Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-4725)

WordPress Plugin Feature Slideshow 'src' Parameter Cross-Site Scripting (1.0.6beta)

WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce SQL Injection (4.3.0)

Severity

Medium

Classification

CVE-2021-20283 CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities