Lucene search

K

GoogleOSV:GHSA-468Q-9CMP-76WC

HistoryMay 13, 2022 - 1:12 a.m.

Moodle does not consider the moodle/tag:edit capability before adding a tag

2022-05-1301:12:43

Google

osv.dev

7

moodle

tag autocomplete

access restrictions

ajax request

vulnerability

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

46.9%

tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965

openwall.com/lists/oss-security/2014/11/17/11

github.com/moodle/moodle

github.com/moodle/moodle/commit/1d9e0857f8bd9f21d25886f77cc13120f9d6be08

github.com/moodle/moodle/commit/932694ca59413ce8a0546b8bfb97e07e3b4cf17b

github.com/moodle/moodle/commit/bb69623c5c0754467f01f916f94446e1caddb6a8

moodle.org/mod/forum/discuss.php?d=275157

nvd.nist.gov/vuln/detail/CVE-2014-7846

web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

46.9%

Related for OSV:GHSA-468Q-9CMP-76WC

cve1 github1 prion1 ubuntucve1 nvd1 veracode1 cvelist1 nessus1 openvas1 mageia1