Description

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.

Remediation

References

CVE-2016-2158

Related Vulnerabilities

Handlebars Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2019-19919)

PHP Numeric Errors Vulnerability (CVE-2008-2108)

WordPress Plugin WP Job Manager Cross-Site Scripting (1.26.1)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-1461)

Resin Application Server Other Vulnerability (CVE-2004-0281)

Severity

Medium

Classification

CVE-2016-2158 CWE-200 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities