Moodle allows attackers to obtain sensitive personal-contact and unread-message-count information
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Jan 25, 2024
Package
Affected versions
< 2.6.9
>= 2.7.0, < 2.7.6
>= 2.8.0, < 2.8.4
Patched versions
2.6.9
2.7.6
2.8.4
Description
Published by the National Vulnerability Database
Jun 1, 2015
Published to the GitHub Advisory Database
May 13, 2022
Last updated
Jan 25, 2024
Reviewed
Jan 25, 2024
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL.
References