Miggo Logo
Miggo Vulnerability Database
CVE-2021-20283

CVE-2021-20283: Missing permission check in Moodle

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-20283
GHSA ID
GHSA-2m72-m5cw-3g9h
EPSS Score
0.51443%
CWE
CWE-862
Published
5/24/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.10.0, < 3.10.23.10.2
moodle/moodlecomposer>= 3.9.0, < 3.9.53.9.5
moodle/moodlecomposer>= 3.8.0, < 3.8.83.8.8
moodle/moodlecomposer< 3.5.173.5.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions a missing permission check in the web service for fetching enrolled courses. In Moodle's architecture:

  1. Enrollment-related web services are typically located in enrol/external.php
  2. The core_enrol_get_users_courses function is the primary endpoint for retrieving user course enrollments
  3. The CWE-862 (Missing Authorization) aligns with missing capability checks for 'moodle/user:viewdetails' in course contexts
  4. The security bulletin MDL-70822 references this exact functionality
  5. Patched versions would have added context-level capability checks within this course iteration logic

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** w** s*rvi** r*sponsi*l* *or **t**in* ot**r us*rs' *nroll** *ours*s *i* not v*li**t* t**t t** r*qu*stin* us*r *** p*rmission to vi*w t**t in*orm*tion in **** *ours* in moo*l* ***or* *.**.*, *.*.*, *.*.*, *.*.**.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions * missin* p*rmission ****k in t** w** s*rvi** *or **t**in* *nroll** *ours*s. In Moo*l*'s *r**it**tur*: *. *nrollm*nt-r*l*t** w** s*rvi**s *r* typi**lly lo**t** in *nrol/*xt*rn*l.p*p *. T** *or*_*nrol_