Description

tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

Remediation

References

CVE-2014-7846

Related Vulnerabilities

Magento Improper Authentication Vulnerability (CVE-2019-8108)

WordPress Plugin WP Mail Log Cross-Site Scripting (1.1.1)

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-9031)

WordPress Plugin Photo Gallery, Images, Slider in Rbs Image Gallery Security Bypass (2.0.15)

ownCloud Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-1499)

Severity

Medium

Classification

CVE-2014-7846 CWE-264

Tags

Missing Update Known Vulnerabilities