Description
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation.
Remediation
References
Related Vulnerabilities
PrestaShop Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-15081)
Dot CMS Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2017-11466)
PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-4718)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0127)