Miggo Logo

CVE-2021-36400: Moodle has Incorrect Default Permissions

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.41891%
Published
3/7/2023
Updated
3/13/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.11.0-beta, < 3.11.13.11.1
moodle/moodlecomposer>= 3.10.0-beta, < 3.10.53.10.5
moodle/moodlecomposer< 3.9.83.9.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on missing capability checks when removing calendar subscriptions. The calendar_delete_subscription function would be the primary entry point for subscription deletion operations. The CWE-639 (User-Controlled Key) indicates the function accepted user-provided subscription IDs without verifying ownership or proper permissions (CWE-276). Moodle's security model typically requires capability checks like 'require_capability' before sensitive operations, which appears to have been missing here based on the vulnerability description of insufficient authorization checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Moo*l*, insu**i*i*nt **p**ility ****ks m*** it possi*l* to r*mov* ot**r us*rs' **l*n**r URL su*s*riptions.

Reasoning

T** vuln*r**ility **nt*rs on missin* **p**ility ****ks w**n r*movin* **l*n**r su*s*riptions. T** **l*n**r_**l*t*_su*s*ription *un*tion woul* ** t** prim*ry *ntry point *or su*s*ription **l*tion op*r*tions. T** *W*-*** (Us*r-*ontroll** K*y) in*i**t*s