CVE-2021-36400: Moodle has Incorrect Default Permissions
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.41891%
CWE
Published
3/7/2023
Updated
3/13/2023
KEV Status
No
Technology
PHP
PHPTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 3.11.0-beta, < 3.11.1 | 3.11.1 |
| moodle/moodle | composer | >= 3.10.0-beta, < 3.10.5 | 3.10.5 |
| moodle/moodle | composer | < 3.9.8 | 3.9.8 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability centers on missing capability checks when removing calendar subscriptions. The calendar_delete_subscription function would be the primary entry point for subscription deletion operations. The CWE-639 (User-Controlled Key) indicates the function accepted user-provided subscription IDs without verifying ownership or proper permissions (CWE-276). Moodle's security model typically requires capability checks like 'require_capability' before sensitive operations, which appears to have been missing here based on the vulnerability description of insufficient authorization checks.