Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651
www.openwall.com/lists/oss-security/2016/03/21/1
github.com/moodle/moodle
github.com/moodle/moodle/commit/1688564a6eee6000013f6e185f704049283ae375
github.com/moodle/moodle/commit/190757854d9ce3b3ce3100dc76de54277f3bdd14
github.com/moodle/moodle/commit/314d105c169c67e3ce750f76b21d99983d4a9ff5
github.com/moodle/moodle/commit/4d6f159f681882496e05ddacf2561929d2d23f0e
github.com/moodle/moodle/commit/9f91c23536a31ba2dc91b0ba2ae726b1757a20cb
moodle.org/mod/forum/discuss.php?d=330181
nvd.nist.gov/vuln/detail/CVE-2016-2190
web.archive.org/web/20210801130148/www.securitytracker.com/id/1035333