CVE-2016-2158: Exposure of Sensitive Information to an Unauthorized Actor
(updated )
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.
References
- git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774
- www.openwall.com/lists/oss-security/2016/03/21/1
- github.com/advisories/GHSA-m882-j7gq-v9p7
- github.com/moodle/moodle/commit/0766509ab02353008af62f953f7ebc0f6210411a
- github.com/moodle/moodle/commit/3c069c16db62d0e0a64137578e92c22d604dd261
- github.com/moodle/moodle/commit/7b9fbb1cf4228b39f81454cdb8370e7853fbe184
- github.com/moodle/moodle/commit/dc8421575f35585a7a4fc1c9710dafd1d0483d4e
- github.com/moodle/moodle/commit/ea8987644fdbbee291337263598b0c3c7bf27c36
- moodle.org/mod/forum/discuss.php?d=330180
- nvd.nist.gov/vuln/detail/CVE-2016-2158
- web.archive.org/web/20160424224349/http://www.securitytracker.com/id/1035333
Code Behaviors & Features
Detect and mitigate CVE-2016-2158 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →