Miggo Logo

CVE-2021-32473: Moodle Information Disclosure vulnerability

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.6278%
Published
3/12/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.5, < 3.5.183.5.18
moodle/moodlecomposer>= 3.8, < 3.8.93.8.9
moodle/moodlecomposer>= 3.9, < 3.9.73.9.7
moodle/moodlecomposer>= 3.10, < 3.10.43.10.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around unauthorized grade disclosure via quiz web services. Moodle's external API functions in mod/quiz/classes/externallib.php handle grade retrieval. The specific function mod_quiz_external::get_quiz_grades would be responsible for returning grades through web services. The vulnerability exists because pre-patch versions lacked proper validation of quiz grade release timing constraints in this service endpoint. This matches the CWE-200 pattern of missing access controls for sensitive information exposure through API endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

It w*s possi*l* *or * stu**nt to vi*w t**ir quiz *r*** ***or* it *** ***n r*l**s**, usin* * quiz w** s*rvi**. Moo*l* *.** to *.**.*, *.* to *.*.*, *.* to *.*.*, *.* to *.*.** *n* **rli*r unsupport** v*rsions *r* *****t**

Reasoning

T** vuln*r**ility **nt*rs *roun* un*ut*oriz** *r*** *is*losur* vi* quiz w** s*rvi**s. Moo*l*'s *xt*rn*l *PI *un*tions in mo*/quiz/*l*ss*s/*xt*rn*lli*.p*p **n*l* *r*** r*tri*v*l. T** sp**i*i* *un*tion mo*_quiz_*xt*rn*l::**t_quiz_*r***s woul* ** r*spon