{"id":"GHSA-468q-9cmp-76wc","summary":"Moodle does not consider the moodle/tag:edit capability before adding a tag","details":"tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.","aliases":["CVE-2014-7846"],"modified":"2024-12-07T05:33:15.395803Z","published":"2022-05-13T01:12:43Z","database_specific":{"cwe_ids":[],"github_reviewed":true,"nvd_published_at":"2014-11-24T11:59:00Z","severity":"MODERATE","github_reviewed_at":"2024-01-24T21:42:12Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-7846"},{"type":"WEB","url":"https://github.com/moodle/moodle/commit/1d9e0857f8bd9f21d25886f77cc13120f9d6be08"},{"type":"WEB","url":"https://github.com/moodle/moodle/commit/932694ca59413ce8a0546b8bfb97e07e3b4cf17b"},{"type":"WEB","url":"https://github.com/moodle/moodle/commit/bb69623c5c0754467f01f916f94446e1caddb6a8"},{"type":"PACKAGE","url":"https://github.com/moodle/moodle"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=275157"},{"type":"WEB","url":"https://web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215"},{"type":"WEB","url":"http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2014/11/17/11"}],"affected":[{"package":{"name":"moodle/moodle","ecosystem":"Packagist","purl":"pkg:composer/moodle/moodle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.9"}]}],"versions":["v2.3.10","v2.3.11","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.4.0-rc1","v2.4.1","v2.4.10","v2.4.11","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.5.0","v2.5.0-beta","v2.5.0-rc1","v2.5.1","v2.5.2","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.5.7","v2.5.8"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-468q-9cmp-76wc/GHSA-468q-9cmp-76wc.json"}},{"package":{"name":"moodle/moodle","ecosystem":"Packagist","purl":"pkg:composer/moodle/moodle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.0"},{"fixed":"2.6.6"}]}],"versions":["v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-468q-9cmp-76wc/GHSA-468q-9cmp-76wc.json"}},{"package":{"name":"moodle/moodle","ecosystem":"Packagist","purl":"pkg:composer/moodle/moodle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.7.0"},{"fixed":"2.7.3"}]}],"versions":["v2.7.0","v2.7.1","v2.7.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-468q-9cmp-76wc/GHSA-468q-9cmp-76wc.json"}}],"schema_version":"1.7.3"}