Matt Jenner

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier, 2.7.x through 2.7.12, 2.8.x through 2.8.10, 2.9.x through 2.9.4, 3.0.x through 3.0.2 **Description** The issue allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list, due to excessive authorization granted by the `moodle/course:viewhiddenuserfields` capability in the `user/index.php` file. **Recommendations** For Moodle versions 2.6.11 and earlier, update to version 2.7.13 or later. For Moodle versions 2.7.x through 2.7.12, update to version 2.7.13 or later. For Moodle versions 2.8.x through 2.8.10, update to version 2.8.11 or later. For Moodle versions 2.9.x through 2.9.4, update to version 2.9.5 or later. For Moodle versions 3.0.x through 3.0.2, update to version 3.0.3 or later.