Description
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.
Remediation
References
Related Vulnerabilities
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2367)
WordPress Plugin Convert Plus Unspecified Vulnerability (3.5.6)
WordPress Plugin Britetechs Companion Malicious Code (2.2.7)
OpenSSL Other Vulnerability (CVE-2005-2969)
Atlassian Jira Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2020-36231)