Miggo Logo

CVE-2021-20185: Moodle Client side denial of service via personal message

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.66194%
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.5, < 3.5.163.5.16
moodle/moodlecomposer>= 3.8, < 3.8.73.8.7
moodle/moodlecomposer>= 3.9, < 3.9.43.9.4
moodle/moodlecomposer>= 3.10, < 3.10.13.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing message size validation in the messaging subsystem. The core messaging function message_send() in message/lib.php is directly responsible for processing and delivering messages. In vulnerable versions, this function lacked input size checks, enabling transmission of unbounded message payloads. The CWE-400/770 mapping confirms this is a resource consumption issue, and the Moodle security advisory (MDL-67782) specifically references messaging component changes. While exact commit details are unavailable, message_send() is the logical entry point where size validation would be implemented, making it the most likely vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s *oun* in Moo*l* ***or* v*rsion *.**.*, *.*.*, *.*.* *n* *.*.** t**t m*ss**in* *i* not impos* * ***r**t*r limit w**n s*n*in* m*ss***s, w*i** *oul* r*sult in *li*nt-si** (*rows*r) **ni*l o* s*rvi** *or us*rs r***ivin* v*ry l*r** m*ss***s.

Reasoning

T** vuln*r**ility st*ms *rom missin* m*ss*** siz* v*li**tion in t** m*ss**in* su*syst*m. T** *or* m*ss**in* *un*tion m*ss***_s*n*() in m*ss***/li*.p*p is *ir**tly r*sponsi*l* *or pro**ssin* *n* **liv*rin* m*ss***s. In vuln*r**l* v*rsions, t*is *un*ti