4

CVSS Score

Basic Information

CVE ID

CVE-2014-0124

GHSA ID

GHSA-fc5p-vj3h-x7g4

EPSS Score

0.42396%

CWE

Published

5/13/2022

Updated

1/24/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-0124

CVE-2014-0124: Moodle allows attackers to obtain sensitive information

The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly restrict the display of e-mail addresses, which allows remote authenticated users to obtain sensitive information by using the (1) Forum or (2) Quiz module.

(GitHub Advisory)

4

CVSS Score

Basic Information

CVE ID

CVE-2014-0124

GHSA ID

GHSA-fc5p-vj3h-x7g4

EPSS Score

0.42396%

CWE

Published

5/13/2022

Updated

1/24/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	< 2.4.9	2.4.9
moodle/moodle	composer	>= 2.5.0, < 2.5.5	2.5.5
moodle/moodle	composer	>= 2.6.0, < 2.6.2	2.6.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing access checks for email visibility in two modules. The provided commit diff explicitly modifies these functions to add a $canviewemail check using get_extra_user_fields(), which validates permissions. Before the patch, both functions directly included email addresses in their output without this authorization step. The files and functions match the vulnerability description and patch context, confirming their role in the exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** i**ntity-r*portin* impl*m*nt*tions in mo*/*orum/r*n**r*r.p*p *n* mo*/quiz/ov*rri**_*orm.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *o not prop*rly r*stri*t t** *ispl*y o* *-m*il ***r*ss*s, w*i** *

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss ****ks *or *m*il visi*ility in two mo*ul*s. T** provi*** *ommit *i** *xpli*itly mo*i*i*s t**s* *un*tions to *** * $**nvi*w*m*il ****k usin* **t_*xtr*_us*r_*i*l*s(), w*i** v*li**t*s p*rmissions. ***or* t** p

4

Basic Information

Concerned about an active attack path?

CVE-2014-0124: Moodle allows attackers to obtain sensitive information

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI