Description
Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.
Remediation
References
Related Vulnerabilities
WordPress Plugin WebARX Cross-Site Scripting (1.3.0)
WordPress Plugin Search Unleashed 'Log' Function HTML Injection (0.2.10)
WordPress Plugin Wholesale Market for WooCommerce Arbitrary File Download (1.0.7)
WordPress Plugin Anthologize Cross-Site Scripting (0.7.7)
WordPress Plugin Zotpress 'citation' Parameter Cross-Site Scripting (2.6.1)