Description
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.
Remediation
References
Related Vulnerabilities
PHP Out-of-bounds Write Vulnerability (CVE-2021-21704)
WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2022-23302)
WordPress Plugin Global Content Blocks Cross-Site Request Forgery (2.1.5)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5885)
WordPress Plugin PowerPress Podcasting by Blubrry Unspecified Vulnerability (8.6.1)