6.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1134

CVE-2018-1134: Moodle Improper Privilege Management

An issue was discovered in Moodle 3.x. Students who submitted assignments and exported them to portfolios can download any stored Moodle file by changing the download URL.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2018-1134

CVE-2018-1134:

6.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	>= 3.1, < 3.1.12	3.1.12
moodle/moodle	composer	>= 3.2, < 3.2.9	3.2.9
moodle/moodle	composer	>= 3.3, < 3.3.6	3.3.6
moodle/moodle	composer	>= 3.4, < 3.4.3	3.4.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper privilege management in portfolio export functionality. The advisory explicitly references the portfolio assignment caller class (MDL-62210) and describes URL manipulation to access unauthorized files. The prepare_package method is responsible for preparing submission files for portfolio export. If this method fails to validate() whether the requested files belong to the user's submission context, it would enable the described vulnerability. This aligns with the CWE-269 classification and the attack pattern described (modifying download URLs to access unauthorized resources).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2018-1134: Moodle Improper Privilege Management

CVE-2018-1134:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

6.5

6.5

CVE-2018-1134: Moodle Improper Privilege Management

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI