Miggo Logo

CVE-2021-20184: Moodle Grade information disclosure in grade's external fetch functions

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.38057%
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.8, < 3.8.73.8.7
moodle/moodlecomposer>= 3.9, < 3.9.43.9.4
moodle/moodlecomposer>= 3.10, < 3.10.13.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions insufficient capability checks in grade-related web services. Moodle's grade external API (core_grades_external class in grade/externallib.php) contains the primary functions for grade retrieval via web services. The get_grades function is the main entry point for grade fetching operations and would require capability checks to prevent unauthorized access. The CWE-354 mapping (Improper Validation of Integrity Check Value) aligns with missing authorization validation. While commit details aren't available, the combination of 1) vulnerability context (grade disclosure via web services), 2) standard Moodle architecture patterns for external APIs, and 3) the explicit mention of 'external fetch functions' in multiple sources provides high confidence in this identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s *oun* in Moo*l* ***or* v*rsion *.**.*, *.*.* *n* *.*.* t**t * insu**i*i*nt **p**ility ****ks in som* *r*** r*l*t** w** s*rvi**s m**nt stu**nts w*r* **l* to vi*w ot**r stu**nts *r***s.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions insu**i*i*nt **p**ility ****ks in *r***-r*l*t** w** s*rvi**s. Moo*l*'s *r*** *xt*rn*l *PI (*or*_*r***s_*xt*rn*l *l*ss in *r***/*xt*rn*lli*.p*p) *ont*ins t** prim*ry *un*tions *or *r*** r*tri*v*l vi* w