CVE-2015-0215: Moodle allows attackers to obtain sensitive calendar-event information
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.40591%
CWE
Published
5/13/2022
Updated
1/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | < 2.6.7 | 2.6.7 |
moodle/moodle | composer | >= 2.7.0, < 2.7.4 | 2.7.4 |
moodle/moodle | composer | >= 2.8.0, < 2.8.2 | 2.8.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient access checks in calendar/externallib.php's web-service handler. The key commit 76aea85 shows that the fix involved adding context validation (self::validate_context) to the get_calendar_events function. Prior to this patch, the code only checked course enrollment but didn't validate context permissions, enabling unauthorized data exposure. The vulnerability description explicitly mentions calendar/externallib.php as the source, and the CWE-200 classification aligns with missing authorization checks in this function.