CVE-2015-5340

Name of the Vulnerable Software and Affected Versions Moodle versions 2.6.11 and earlier, 2.7.x before 2.7.11, 2.8.x before 2.8.9, 2.9.x before 2.9.3

Description The issue is related to insufficient access control in the system, allowing remote authenticated users to obtain sensitive badge information. This can be achieved via a request involving "badges/overview.php" or "badges/view.php". The problem arises because the system does not consider the moodle/badges:viewbadges capability.

Recommendations For versions 2.6.11 and earlier, update to a version later than 2.6.11 to resolve the issue. For 2.7.x versions before 2.7.11, update to version 2.7.11 or later. For 2.8.x versions before 2.8.9, update to version 2.8.9 or later. For 2.9.x versions before 2.9.3, update to version 2.9.3 or later. As a temporary workaround, consider restricting access to the badges/overview.php and badges/view.php API endpoints until a patch is available.