Daniel Palou

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.6.11 and earlier Moodle versions 2.7.x before 2.7.11 Moodle versions 2.8.x before 2.8.9 Moodle versions 2.9.x before 2.9.3 **Description** The issue is related to the core enrol get enrolled users web service in Moodle, which does not properly implement group-based access restrictions. This allows remote authenticated users to obtain sensitive course-participant information via a web-service request. **Recommendations** For versions 2.6.11 and earlier, update to a version later than 2.6.11. For versions 2.7.x before 2.7.11, update to version 2.7.11 or later. For versions 2.8.x before 2.8.9, update to version 2.8.9 or later. For versions 2.9.x before 2.9.3, update to version 2.9.3 or later.