Description
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2013-2412 Vulnerability (CVE-2013-2412)
WordPress Plugin Slider Hero with Animation, Video Background Unspecified Vulnerability (5.5.0)
WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2020-11113)
WordPress Plugin TinyMCE Advanced Cross-Site Request Forgery (4.1)
WordPress Plugin WordPress Button Plugin MaxButtons Security Bypass (1.19.0)