CVE-2014-7846: Moodle does not consider the moodle/tag:edit capability before adding a tag
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47528%
CWE
-
Published
5/13/2022
Updated
1/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 2.5.9 | 2.5.9 |
| moodle/moodle | composer | >= 2.6.0, < 2.6.6 | 2.6.6 |
| moodle/moodle | composer | >= 2.7.0, < 2.7.3 | 2.7.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the lack of a capability check in tag_autocomplete.php. The original code only checked general authentication (require_login) but omitted require_capability('moodle/tag:edit'), allowing unauthorized tag additions. The commit diff shows the addition of this capability check and other security hardening (e.g., input validation via PARAM_TAG). The primary vulnerable code path is the procedural flow in tag_autocomplete.php, which handled the AJAX request without proper authorization. No specific named functions are directly vulnerable, but the script's entry point is the critical point of failure.