CVE-2016-2151

Name of the Vulnerable Software and Affected Versions Moodle versions 2.6.11 and earlier, 2.7.x through 2.7.12, 2.8.x through 2.8.10, 2.9.x through 2.9.4, 3.0.x through 3.0.2

Description The issue allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list, due to excessive authorization granted by the moodle/course:viewhiddenuserfields capability in the user/index.php file.

Recommendations For Moodle versions 2.6.11 and earlier, update to version 2.7.13 or later. For Moodle versions 2.7.x through 2.7.12, update to version 2.7.13 or later. For Moodle versions 2.8.x through 2.8.10, update to version 2.8.11 or later. For Moodle versions 2.9.x through 2.9.4, update to version 2.9.5 or later. For Moodle versions 3.0.x through 3.0.2, update to version 3.0.3 or later.