Moodle Permissions Privileges and Access Controls Vulnerability - CVE-2015-2271

tag/user.php in Moodle through 2.5.9 2.6.x before 2.6.9 2.7.x before 2.7.6 and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action which allows remote authenticated users to bypass intended access restrictions via the quotFlag as inappropriatequot feature.