-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from missing group visibility checks in multiple course report authorization functions. The commit diff shows critical additions of groups_user_groups_visible() checks in these functions to enforce group separation. Before the patch, these functions granted access based solely on course-level capabilities (like report/*:view) without verifying if the teacher shared a group with the target user - a requirement in courses with forced group separation. The functions' pre-patch logic allowed bypassing group restrictions when teachers had report-viewing capabilities but lacked moodle/site:accessallgroups.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 3.3.0, <= 3.3.1 | 3.3.2 |
| moodle/moodle | composer | >= 3.2.0, <= 3.2.4 | 3.2.5 |
| moodle/moodle | composer |
| <= 3.1.7 |
| 3.1.8 |
Ongoing coverage of React2Shell