CVE-2014-7831

Name of the Vulnerable Software and Affected Versions Moodle versions 2.7.x through 2.7.2

Description The issue allows remote authenticated users to obtain sensitive information by accessing the get grades web service, leveraging the student role. This occurs because the lib/classes/grades external.php file does not consider the moodle/grade:viewhidden capability before displaying hidden grades.

Recommendations For Moodle versions 2.7.x through 2.7.2, update to version 2.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the get grades web service for users with the student role until the update is applied.