CVE-2014-0217

Name of the Vulnerable Software and Affected Versions Moodle versions 2.6.0 through 2.6.2

Description The issue allows remote attackers to obtain sensitive information about hidden courses by visiting a crafted URL, leveraging the guest role. This is due to the failure of enrol/index.php to check for the moodle/course:viewhiddencourses capability before listing hidden courses.

Recommendations For Moodle versions 2.6.0 through 2.6.2, update to version 2.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the enrol/index.php page for guest users until the update is applied.