Description
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.
Remediation
References
Related Vulnerabilities
WordPress Plugin Download Monitor Unspecified Vulnerability (1.9.6)
Liferay Portal Incorrect Default Permissions Vulnerability (CVE-2022-42127)
WordPress Plugin Photo Gallery, Images, Slider in Rbs Image Gallery Cross-Site Scripting (3.2.12)
Joomla! Core 1.0.x Multiple Cross-Site Scripting Vulnerabilities (1.0.0 - 1.0.12)