-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from insufficient capability checks in message deletion via web services. The advisory explicitly mentions the messaging web service (MSA-21-0025) and references MDL-71917. Moodle's message deletion web service endpoint is typically implemented in core_message_external::delete_message, which would require capability checks to prevent cross-user deletions. The lack of these checks in vulnerable versions aligns with the CWE-276 description of incorrect permission validations.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 3.11.0-beta, < 3.11.1 | 3.11.1 |
| moodle/moodle | composer | >= 3.10.0-beta, < 3.10.5 | 3.10.5 |
| moodle/moodle |
| composer |
| < 3.9.8 |
| 3.9.8 |
Ongoing coverage of React2Shell