Description
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships.
Remediation
References
Related Vulnerabilities
WordPress Plugin Integration for Contact Form 7 and Pipedrive Cross-Site Scripting (1.0.9)
PostgreSQL Integer Overflow or Wraparound Vulnerability (CVE-2023-5869)
WordPress Plugin Affiliates Manager Unspecified Vulnerability (2.7.7)
MySQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10268)
Joomla Deserialization of Untrusted Data Vulnerability (CVE-2019-7743)