CVE-2021-36397: Moodle has Incorrect Default Permissions
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63187%
CWE
Published
3/7/2023
Updated
3/13/2023
KEV Status
No
Technology
PHP
PHPTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 3.11.0-beta, < 3.11.1 | 3.11.1 |
| moodle/moodle | composer | >= 3.10.0-beta, < 3.10.5 | 3.10.5 |
| moodle/moodle | composer | < 3.9.8 | 3.9.8 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from insufficient capability checks in message deletion via web services. The advisory explicitly mentions the messaging web service (MSA-21-0025) and references MDL-71917. Moodle's message deletion web service endpoint is typically implemented in core_message_external::delete_message, which would require capability checks to prevent cross-user deletions. The lack of these checks in vulnerable versions aligns with the CWE-276 description of incorrect permission validations.