Miggo Logo

CVE-2014-3617: Moodle allows discovery of an author's username

4

CVSS Score

Basic Information

EPSS Score
0.39763%
CWE
-
Published
5/13/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.5.82.5.8
moodle/moodlecomposer>= 2.6.0, < 2.6.52.6.5
moodle/moodlecomposer>= 2.7.0, < 2.7.22.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies forum_print_latest_discussions as the vulnerable function. The provided commit diff shows the patch added critical security checks (forum type validation, capability check, and post-existence verification) to this function. These checks were missing in vulnerable versions, enabling unauthorized username disclosure. The direct correlation between the CVE description, advisory references, and the patched code confirms this function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *orum_print_l*t*st_*is*ussions *un*tion in mo*/*orum/li*.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *ut**nti**t** us*rs to *yp*ss t** in*ivi*u*l *nsw*r-postin* r*quir*m*nt wit*out t*

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s *orum_print_l*t*st_*is*ussions *s t** vuln*r**l* *un*tion. T** provi*** *ommit *i** s*ows t** p*t** ***** *riti**l s**urity ****ks (*orum typ* v*li**tion, **p**ility ****k, *n* post-*xist*n** v*ri*i