CVE-2014-7846 : tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x bef

tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

Published 2014-11-24 11:59:11

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2014-7846

Moodle » Moodle
Versions up to, including, (<=) 2.4.11
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.0
cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.1
cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.2
cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.6.0
cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.6.1
cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.4
cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.3
cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.5
cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.6.2
cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.6
cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.7.0
cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.6.3
cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.6.4
cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.7
cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.7.1
cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.6.5
cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.5.8
cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*
Matching versions
Moodle » Moodle » Version: 2.7.2
cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-7846

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 45 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-7846

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-7846

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-7846

http://www.securitytracker.com/id/1031215

Moodle Bugs Permit Cross-Site Scripting, Cross-Site Request Forgery, and Information Disclosure Attacks - SecurityTracker

CVEs referencing this url
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965

Official Moodle git projects - moodle.git/search
Patch
https://moodle.org/mod/forum/discuss.php?d=275157

Moodle.org: MSA-14-0041: Lack of capability check in tags list access
Vendor Advisory
http://openwall.com/lists/oss-security/2014/11/17/11

oss-security - Moodle security issues are now public

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-7846

Products affected by CVE-2014-7846

Exploit prediction scoring system (EPSS) score for CVE-2014-7846

CVSS scores for CVE-2014-7846

CWE ids for CVE-2014-7846

References for CVE-2014-7846