CVE-2016-2158

MEDIUM

Moodle < 2.6.11 - Information Disclosure

Title source: rule

Description

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.

References (4)

[Patch] http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1035333

[Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=330180

[Mailing List] http://www.openwall.com/lists/oss-security/2016/03/21/1

Scores

CVSS v3 4.3

EPSS 0.0033

EPSS Percentile 55.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (34)

moodle/moodle < 2.6.11

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

moodle/moodle

... and 19 more

Timeline

Published May 22, 2016

Tracked Since Feb 18, 2026