Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-3181)

Description

files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked.

Remediation

References

Related Vulnerabilities

WordPress Plugin Sticky Ad Bar Cross-Site Scripting (1.3.1)

WordPress Plugin Event Notifier Cross-Site Scripting (1.2.0)

PHP Use After Free Vulnerability (CVE-2016-9137)

SharePoint Deserialization of Untrusted Data Vulnerability (CVE-2021-24066)

Jenkins Missing Authorization Vulnerability (CVE-2021-21687)

Severity

Medium

Classification

CVE-2015-3181 CWE-264

Tags

Missing Update Known Vulnerabilities