Description

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.

Remediation

References

CVE-2016-2158

Related Vulnerabilities

WordPress 'wp-admin/admin.php' Module Configuration Security Bypass Vulnerability (0.6.2 - 2.8)

WordPress Plugin Backup Bank:WordPress Backup Security Bypass (4.0.28)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-0215)

WebLogic CVE-2016-0696 Vulnerability (CVE-2016-0696)

Oracle Database Server CVE-2010-4420 Vulnerability (CVE-2010-4420)

Severity

Medium

Classification

CVE-2016-2158 CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities