Miggo Logo

CVE-2014-7834: Moodle does not verify group permissions

4

CVSS Score

Basic Information

EPSS Score
0.41402%
CWE
-
Published
5/13/2022
Updated
1/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 2.6.0, < 2.6.62.6.6
moodle/moodlecomposer>= 2.7.0, < 2.7.32.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the absence of group permission checks in the forum_get_discussions web service. The commit diff shows the addition of group validation logic (groups_get_activity_groupmode, groups_get_user_groups) and a modified SQL query with group filtering. The original code path in externallib.php did not include these checks, leaving group-based access control unenforced. The test case removal in externallib_test.php further confirms the function's behavior change to respect group permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mo*/*orum/*xt*rn*lli*.p*p in Moo*l* *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.* *o*s not v*ri*y *roup p*rmissions, w*i** *llows r*mot* *ut**nti**t** us*rs to ****ss * *orum vi* t** *orum_**t_*is*ussions w** s*rvi**.

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* *roup p*rmission ****ks in t** *orum_**t_*is*ussions w** s*rvi**. T** *ommit *i** s*ows t** ***ition o* *roup v*li**tion lo*i* (*roups_**t_**tivity_*roupmo**, *roups_**t_us*r_*roups) *n* * mo*i*i** SQL qu*r