Miggo Logo

CVE-2015-0215: Moodle allows attackers to obtain sensitive calendar-event information

4

CVSS Score

Basic Information

EPSS Score
0.40591%
Published
5/13/2022
Updated
1/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.6.72.6.7
moodle/moodlecomposer>= 2.7.0, < 2.7.42.7.4
moodle/moodlecomposer>= 2.8.0, < 2.8.22.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient access checks in calendar/externallib.php's web-service handler. The key commit 76aea85 shows that the fix involved adding context validation (self::validate_context) to the get_calendar_events function. Prior to this patch, the code only checked course enrollment but didn't validate context permissions, enabling unauthorized data exposure. The vulnerability description explicitly mentions calendar/externallib.php as the source, and the CWE-200 classification aligns with missing authorization checks in this function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**l*n**r/*xt*rn*lli*.p*p in Moo*l* t*rou** *.*.*, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *ut**nti**t** us*rs to o*t*in s*nsitiv* **l*n**r-*v*nt in*orm*tion vi* * w**-s*rvi**s r*qu*st.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt ****ss ****ks in **l*n**r/*xt*rn*lli*.p*p's w**-s*rvi** **n*l*r. T** k*y *ommit ******* s*ows t**t t** *ix involv** ***in* *ont*xt v*li**tion (s*l*::v*li**t*_*ont*xt) to t** **t_**l*n**r_*v*nts *un*tion. Prio