Description

tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

Remediation

References

CVE-2014-7846

Related Vulnerabilities

Oracle JRE CVE-2013-2412 Vulnerability (CVE-2013-2412)

WordPress Plugin Slider Hero with Animation, Video Background Unspecified Vulnerability (5.5.0)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11113)

WordPress Plugin TinyMCE Advanced Cross-Site Request Forgery (4.1)

WordPress Plugin WordPress Button Plugin MaxButtons Security Bypass (1.19.0)

Severity

Medium

Classification

CVE-2014-7846 CWE-264

Tags

Missing Update Known Vulnerabilities