VDB
GCVE-110-MAGEIA-2016-122
GCVE-110-MAGEIA-2016-122
Advisory Published
In Moodle before 2.8.11, teachers who otherwise were not supposed to see
students' emails could see them in the participants list (CVE-2016-2151).
In Moodle before 2.8.11, Moodle traditionally trusted content from
external DB, however it was decided that external datasources may not be
aware of web security practices and data could cause problems after
importing to Moodle (CVE-2016-2152).
In Moodle before 2.8.11, a user with higher permissions could be tricked
into clicking a link which would result in Reflected XSS in mod_data
advanced search (CVE-2016-2153).
In Moodle before 2.8.11, users without capability to view hidden courses
but with capability to subscribe to Event Monitor rules could see the
names of hidden courses (CVE-2016-2154).
In Moodle before 2.8.11, the Non-Editing Instructor role can edit the
exclude checkbox in the Single View grade report (CVE-2016-2155).
In Moodle before 2.8.11, users without the capability to view hidden
acitivites could still see associated calendar events via web services,
via the external function get_calendar_events (CVE-2016-2156).
In Moodle before 2.8.11, CSRF is possible on the Assignment plugin admin
page, however an exploit is unlikely to benefit anybody and can easily be
reversed (CVE-2016-2157).
In Moodle before 2.8.11, enumeration of course category details is
possible without authentication (CVE-2016-2158).
In Moodle before 2.8.11, students were able to add assignment submissions
after the due date through web service, via the external function
mod_assign_save_submission (CVE-2016-2159).
In Moodle before 2.8.11, when following external links that were added
with the _blank target, a referer header would be added (CVE-2016-2190).
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | meta-task | 0 (affected), 5-28.1.mga5 (unaffected) | — |
| Mageia | moodle | 0 (affected), 2.8.11-1.mga5 (unaffected) | — |
Aliases
CVE-2016-2151CVE-2016-2154CVE-2016-2155CVE-2016-2159CVE-2016-2152CVE-2016-2190CVE-2016-2153CVE-2016-2158CVE-2016-2156CVE-2016-2157
Transitive aliases
CNVD-2016-01810GHSA-32hg-73hp-vwc8CNVD-2016-01807GSD-2016-2159GSD-2016-2190GHSA-r9pc-g29w-f86jGSD-2016-2152CNVD-2016-01805GHSA-r3fc-hx6q-g6cqCNVD-2016-01809CNVD-2016-01814GHSA-h8vc-v44p-5r2qGSD-2016-2157GSD-2016-2158GHSA-m882-j7gq-v9p7GSD-2016-2156GHSA-6mxm-wpqv-675hCNVD-2016-01808CNVD-2016-01813BDU:2016-01464GHSA-mj85-3hqq-r6r9GHSA-fmq9-58q4-xjw5CNVD-2016-01812CNVD-2016-01811CNVD-2016-01806GHSA-cw72-69wq-f9f2GSD-2016-2151GSD-2016-2153GSD-2016-2154GSD-2016-2155GHSA-f5pm-c4cw-563pBDU:2016-01465
References
Browse GCVE Records
72,580 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.