mod/forum/post.php in Moodle 2.9.x before 2.9.1 does not consider the mod/forum:canposttomygroups capability before authorizing "Post a copy to all groups" actions, which allows remote authenticated users to bypass intended access restrictions by leveraging per-group authorization.
References
Configurations
Information
Published : 2016-02-21 21:59
Updated : 2020-12-01 06:52
NVD link : CVE-2015-3273
Mitre link : CVE-2015-3273
JSON object : View
CWE
CWE-264
Permissions, Privileges, and Access Controls
Products Affected
moodle
- moodle