Description

course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.

Remediation

References

CVE-2014-0009

Related Vulnerabilities

WordPress Plugin WordPress Infinite Scroll-Ajax Load More Cross-Site Scripting (5.6.0.2)

WordPress Plugin Similar Posts-Best Related Posts for WordPress Remote Code Execution (3.1.5)

WordPress 3.7.x Cross-Site Request Forgery (3.7 - 3.7.28)

WordPress Plugin Modern Events Calendar Lite Cross-Site Scripting (5.22.2)

Drupal Core 5.x SQL Injection (5.0 - 5.3)

Severity

Medium

Classification

CVE-2014-0009 CWE-264

Tags

Missing Update Known Vulnerabilities