CVE-2021-32472: Moodle Exposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5903%
CWE
Published
3/12/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 3.8.0, < 3.8.9 | 3.8.9 |
moodle/moodle | composer | >= 3.9.0, < 3.9.7 | 3.9.7 |
moodle/moodle | composer | >= 3.10.0, < 3.10.4 | 3.10.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing authorization checks during forum CSV exports. Key indicators:
- CWE-862 (Missing Authorization) implies a failure to validate course-specific permissions
- The export functionality would logically reside in dedicated export handlers (mod/forum/classes/external/export.php) and core forum libraries
- Moodle's architecture typically uses capability checks in context-bound functions - the absence of context-aware checks (e.g. require_capability('mod/forum:exportforum', $context)) would explain cross-course access
- The patch versions' release notes and tracker reference (MDL-71359) suggest authorization logic was added to export workflows While exact pre-patch code isn't available, Moodle's modular structure and vulnerability pattern strongly implicate these core forum export functions.