Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Moodle | Moodle | 2.3.0 (including) | 2.3.0 (including) |
| Moodle | Moodle | 2.3.1 (including) | 2.3.1 (including) |
| Moodle | Moodle | 2.3.2 (including) | 2.3.2 (including) |
| Moodle | Ubuntu | hardy | * |
| Moodle | Ubuntu | upstream | * |
References
- http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-35381
- http://openwall.com/lists/oss-security/2012/11/19/1
- http://www.securityfocus.com/bid/56505
- https://moodle.org/mod/forum/discuss.php?d=216161
- http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-35381
- http://openwall.com/lists/oss-security/2012/11/19/1
- http://www.securityfocus.com/bid/56505
- https://moodle.org/mod/forum/discuss.php?d=216161