-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 2.0.0, < 2.2.8 | 2.2.8 |
| moodle/moodle | composer | >= 2.3.0, < 2.3.5 | 2.3.5 |
| moodle/moodle | composer | >= 2.4.0, < 2.4.2 | 2.4.2 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from missing context validation when handling WebDAV repository instances. The patch adds critical checks comparing the instance's context ID with the current user's context ID in admin/repositoryinstance.php. Before this fix, the code retrieved repository instances via repository::get_instance but didn't verify if the user had rights to modify instances in that context. This allowed authenticated users with read access to manipulate site-wide repositories by bypassing context-based access controls. The direct correlation between the vulnerability description and the added context checks in the commit confirms this as the root cause.