4

CVSS Score

Basic Information

CVE ID

CVE-2014-7834

GHSA ID

GHSA-557f-2hv4-7jjm

EPSS Score

0.41402%

CWE

Published

5/13/2022

Updated

1/24/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-7834

CVE-2014-7834: Moodle does not verify group permissions

mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

(GitHub Advisory)

4

CVSS Score

Basic Information

CVE ID

CVE-2014-7834

GHSA ID

GHSA-557f-2hv4-7jjm

EPSS Score

0.41402%

CWE

Published

5/13/2022

Updated

1/24/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	>= 2.6.0, < 2.6.6	2.6.6
moodle/moodle	composer	>= 2.7.0, < 2.7.3	2.7.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the absence of group permission checks in the forum_get_discussions web service. The commit diff shows the addition of group validation logic (groups_get_activity_groupmode, groups_get_user_groups) and a modified SQL query with group filtering. The original code path in externallib.php did not include these checks, leaving group-based access control unenforced. The test case removal in externallib_test.php further confirms the function's behavior change to respect group permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mo*/*orum/*xt*rn*lli*.p*p in Moo*l* *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.* *o*s not v*ri*y *roup p*rmissions, w*i** *llows r*mot* *ut**nti**t** us*rs to ****ss * *orum vi* t** *orum_**t_*is*ussions w** s*rvi**.

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* *roup p*rmission ****ks in t** *orum_**t_*is*ussions w** s*rvi**. T** *ommit *i** s*ows t** ***ition o* *roup v*li**tion lo*i* (*roups_**t_**tivity_*roupmo**, *roups_**t_us*r_*roups) *n* * mo*i*i** SQL qu*r

4

Basic Information

Concerned about an active attack path?

CVE-2014-7834: Moodle does not verify group permissions

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI