Miggo Logo
Miggo Vulnerability Database
CVE-2016-2151

CVE-2016-2151: Moodle allows attackers to discover student e-mail addresses

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-2151
GHSA ID
GHSA-r3fc-hx6q-g6cq
EPSS Score
0.56667%
CWE
CWE-200
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.7.132.7.13
moodle/moodlecomposer>= 2.8.0, < 2.8.112.8.11
moodle/moodlecomposer>= 2.9.0, < 2.9.52.9.5
moodle/moodlecomposer>= 3.0.0, < 3.0.33.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from an incorrect capability check in user/index.php. The commit diff shows the removal of 'has_capability('moodle/course:viewhiddenuserfields', $context)' from the conditional that controls email display. This check erroneously allowed users with the 'teacher' role (who had this capability) to view student emails. The patch removed this check, confirming it was the root cause of the authorization flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

us*r/in**x.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *r*nts *x**ssiv* *ut*oriz*tion on t** **sis o* t** moo*l*/*ours*:vi*w*i***nus*r*i*l*s **p**ility, w*i** *llows r*mot* *ut**n

Reasoning

T** vuln*r**ility st*mm** *rom *n in*orr**t **p**ility ****k in `us*r/in**x.p*p`. T** *ommit *i** s*ows t** r*mov*l o* '**s_**p**ility('moo*l*/*ours*:vi*w*i***nus*r*i*l*s', $*ont*xt)' *rom t** *on*ition*l t**t *ontrols *m*il *ispl*y. T*is ****k *rron