Description

grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature.

Remediation

References

CVE-2012-6098

Related Vulnerabilities

Python Uncontrolled Resource Consumption Vulnerability (CVE-2019-9674)

WordPress Plugin Opal Estate Cross-Site Request Forgery (1.6.11)

Dolibarr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2018-19998)

Apache mod_rewrite off-by-one buffer overflow vulnerability

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-2889)

Severity

Medium

Classification

CVE-2012-6098 CWE-264

Tags

Missing Update Known Vulnerabilities