CVE-2014-7848: Moodle allows attacks to obtain sensitive information
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59159%
CWE
Published
5/13/2022
Updated
1/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 2.6.0, < 2.6.6 | 2.6.6 |
moodle/moodle | composer | >= 2.7.0, < 2.7.3 | 2.7.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from direct web access to lib/phpunit/bootstrap.php, which lacked a web access check. The file's error reporting configuration (error_reporting(E_ALL) and display_errors=1) exposed full path information when accessed. However, this is not caused by a specific function but rather by the absence of access control at the script level. The patch added a REMOTE_ADDR check to block web requests, indicating the vulnerability was structural (file accessibility) rather than tied to a particular function implementation.