Description
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2014-4293 Vulnerability (CVE-2014-4293)
axios Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-45857)
MySQL CVE-2021-2172 Vulnerability (CVE-2021-2172)
phpBB Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-16108)
WordPress Plugin My Calendar Multiple Cross-Site Scripting Vulnerabilities (2.3.9)