Description
enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL.
Remediation
References
Related Vulnerabilities
Jboss EAP CVE-2018-1304 Vulnerability (CVE-2018-1304)
Drupal Core 9.2.x Security Bypass (9.2.0 - 9.2.12)
WordPress Plugin WH Testimonials Cross-Site Scripting (3.0.0)
WordPress Plugin Stock market charts from finviz Cross-Site Scripting (1.0)
WordPress Plugin St-Daily-Tip Cross-Site Request Forgery (4.7)