CVE-2014-7834: Moodle does not verify group permissions
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.41402%
CWE
-
Published
5/13/2022
Updated
1/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 2.6.0, < 2.6.6 | 2.6.6 |
moodle/moodle | composer | >= 2.7.0, < 2.7.3 | 2.7.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the absence of group permission checks in the forum_get_discussions web service. The commit diff shows the addition of group validation logic (groups_get_activity_groupmode, groups_get_user_groups) and a modified SQL query with group filtering. The original code path in externallib.php did not include these checks, leaving group-based access control unenforced. The test case removal in externallib_test.php further confirms the function's behavior change to respect group permissions.