Vulnerability Description
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | <= 2.6.11 |
Related Weaknesses (CWE)
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774
- http://www.openwall.com/lists/oss-security/2016/03/21/1
- http://www.securitytracker.com/id/1035333
- https://moodle.org/mod/forum/discuss.php?d=330180Vendor Advisory
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774
- http://www.openwall.com/lists/oss-security/2016/03/21/1
- http://www.securitytracker.com/id/1035333
- https://moodle.org/mod/forum/discuss.php?d=330180Vendor Advisory
FAQ
What is CVE-2016-2158?
CVE-2016-2158 is a vulnerability with a CVSS score of 4.3 (MEDIUM). lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attacker...
How severe is CVE-2016-2158?
CVE-2016-2158 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2158?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.