Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page.

The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout.