Description
webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly restrict the use of web-service tokens, which allows remote authenticated users to run arbitrary external-service functions via a token intended for only one service.
Remediation
References
Related Vulnerabilities
WordPress Plugin MailPoet Newsletters (Previous) Cross-Site Scripting (2.6.11)
WordPress Plugin WP Hotel Booking PHP Object Injection (1.10.3)
PHP Use of Externally-Controlled Format String Vulnerability (CVE-2009-3294)
Mailman Other Vulnerability (CVE-2002-0855)
IBM WebSEAL Incorrect Default Permissions Vulnerability (CVE-2023-38370)