The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.
Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.
Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.
Students in "Only see own membership" groups could see other students in the group, which should be hidden.
The last time a user accessed the mobile app is displayed on their profile page, but should be restricted to users with the relevant capability (site administrators by default). Moodle versions 3.10 to 3.10.3 are affected.
It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
Moodle before 2.2.2: Overview report allows users to see hidden courses
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.
Authenticated users were able to enumerate other users' names via the learning plans page.
A vulnerability was found in moodle before versions 3.6.3, 3.5.5 and 3.4.8. Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)
The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.