Miggo Logo
Miggo Vulnerability Database
CVE-2021-20282

CVE-2021-20282: Moodle Bypass email verification secret when confirming account registration

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-20282
GHSA ID
GHSA-grj4-g57c-9xmv
EPSS Score
0.53219%
CWE
CWE-863
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.5, < 3.5.173.5.17
moodle/moodlecomposer>= 3.8, < 3.8.83.8.8
moodle/moodlecomposer>= 3.9, < 3.9.53.9.5
moodle/moodlecomposer>= 3.10, < 3.10.23.10.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around improper authorization (CWE-863) in email verification. Moodle's account confirmation process typically involves verifying a secret token sent via email. The core_user::confirm_user function in user/lib.php is responsible for handling this verification. The vulnerability suggests this function did not adequately validate the secret parameter against stored values, potentially allowing empty/arbitrary values or parameter manipulation. This aligns with the pattern where confirmation endpoints might accept requests without proper secret validation. While exact code isn't available, this function's role in user confirmation and the CWE classification make it the most probable candidate.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *r**tin* * us*r ***ount, it w*s possi*l* to v*ri*y t** ***ount wit*out **vin* ****ss to t** v*ri*i**tion *m*il link/s**r*t in moo*l* ***or* *.**.*, *.*.*, *.*.*, *.*.**.

Reasoning

T** vuln*r**ility **nt*rs *roun* improp*r *ut*oriz*tion (*W*-***) in *m*il v*ri*i**tion. Moo*l*'s ***ount *on*irm*tion pro**ss typi**lly involv*s v*ri*yin* * s**r*t tok*n s*nt vi* *m*il. T** *or*_us*r::*on*irm_us*r *un*tion in us*r/li*.p*p is r*spons