Description

grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature.

Remediation

References

CVE-2012-6098

Related Vulnerabilities

Joomla! Core 1.7.x Information Disclosure (1.7.0 - 1.7.1)

Jolokia Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2018-10899)

WordPress Plugin Olevmedia Shortcodes Multiple Cross-Site Scripting Vulnerabilities (1.1.9)

WordPress Plugin WTI Like Post Cross-Site Scripting (1.4.4)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2354)

Severity

Medium

Classification

CVE-2012-6098 CWE-264

Tags

Missing Update Known Vulnerabilities