Moodle Users Obtain Sensitive Information Vulnerabilities
23 Jun. 2016
The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request.
*Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2
* Moodle through 2.6.11, 2.7.x after 2.7.12, 2.8.x after 2.8.10, 2.9.x after 2.9.4, and 3.0.x after 3.0.2
A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Moodle software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.