-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the require_login function in lib/moodlelib.php setting the course state (via $PAGE->set_cm/set_course) before validating user access. The patch moves these calls to after authentication checks. The original code flow allowed attackers to trigger course context initialization during login validation, exposing blocks/data from restricted courses. The commit explicitly addresses this by delaying course context setup until after validation, confirming this function's role in the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 2.6.9 | 2.6.9 |
| moodle/moodle | composer | >= 2.7.0, < 2.7.6 | 2.7.6 |
| moodle/moodle | composer | >= 2.8.0, < 2.8.4 | 2.8.4 |