-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability combines session fixation (CWE-384) and code injection (CWE-94). Session fixation likely stems from improper session ID regeneration in the Shibboleth authentication flow, while code injection arises from unsafe handling of Shibboleth attributes. Key functions in Moodle's Shibboleth plugin (auth/shibboleth) are the authentication handler (auth.php) and user attribute processor (lib.php). These functions are standard in Moodle's auth plugins and align with the CWEs. The absence of session_regenerate_id() in auth_shibboleth_authenticate_user or unsafe input usage in auth_shibboleth_get_userinfo would directly explain the vulnerabilities.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 3.11.0-beta, < 3.11.1 | 3.11.1 |
| moodle/moodle | composer | >= 3.10.0-beta, < 3.10.5 | 3.10.5 |
| moodle/moodle | composer | < 3.9.8 | 3.9.8 |
Ongoing coverage of React2Shell