CVE-2016-3729

The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.

Published: Apr 20, 2017
Updated: Apr 13, 2023
CVE: CVE-2016-3729
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
moodle / moodle	2.7.1	2.7.1.x
moodle / moodle	2.7.0-rc2	2.7.0-rc2.x
moodle / moodle	2.8.3	2.8.3.x
moodle / moodle	2.8.7	2.8.7.x
moodle / moodle	2.7.6	2.7.6.x
moodle / moodle	2.7.11	2.7.11.x
moodle / moodle	2.7.2	2.7.2.x
moodle / moodle	2.7.4	2.7.4.x
moodle / moodle	2.9.4	2.9.4.x
moodle / moodle	2.8.9	2.8.9.x
moodle / moodle	2.7.9	2.7.9.x
moodle / moodle	2.8.10	2.8.10.x
moodle / moodle	2.8.4	2.8.4.x
moodle / moodle	2.8.6	2.8.6.x
moodle / moodle	3.0.2	3.0.2.x
moodle / moodle	2.7.12	2.7.12.x
moodle / moodle	3.0.0-beta	3.0.0-beta.x
moodle / moodle	3.0.0-rc3	3.0.0-rc3.x
moodle / moodle	3.0.0-rc4	3.0.0-rc4.x
moodle / moodle	2.7.0-beta	2.7.0-beta.x
moodle / moodle	2.7.10	2.7.10.x
moodle / moodle	2.7.5	2.7.5.x
moodle / moodle	3.0.1	3.0.1.x
moodle / moodle	2.7.3	2.7.3.x
moodle / moodle	2.8.8	2.8.8.x
moodle / moodle	2.7.0	2.7.0.x
moodle / moodle	3.0.0-rc1	3.0.0-rc1.x
moodle / moodle	3.0.0	3.0.0.x
moodle / moodle	2.9.1	2.9.1.x
moodle / moodle	2.8.1	2.8.1.x
moodle / moodle	2.9.5	2.9.5.x
moodle / moodle	2.7.0-rc1	2.7.0-rc1.x
moodle / moodle	3.0.0-rc2	3.0.0-rc2.x
moodle / moodle	2.8.11	2.8.11.x
moodle / moodle	2.8.5	2.8.5.x
moodle / moodle	2.7.13	2.7.13.x
moodle / moodle	3.0.3	3.0.3.x
moodle / moodle	2.9.2	2.9.2.x
moodle / moodle	2.7.8	2.7.8.x
moodle / moodle	2.9.3	2.9.3.x
moodle / moodle	2.8.2	2.8.2.x
moodle / moodle	2.7.7	2.7.7.x
moodle / moodle	2.8.0	2.8.0.x
moodle / moodle	2.9.0	2.9.0.x

Vulnerability Database

CVE-2016-3729