CVE-2021-40692: Moodle Incorrect Authorization
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.33384%
CWE
Published
9/30/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 3.11, < 3.11.3 | 3.11.3 |
moodle/moodle | composer | >= 3.10, < 3.10.7 | 3.10.7 |
moodle/moodle | composer | >= 3.9, < 3.9.10 | 3.9.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient authorization checks when retrieving course participants. Moodle's user management system relies on course context validation and capability checks ('moodle/course:viewparticipants'). The primary function for participant retrieval (core_user::get_participants) would be the logical location for missing context validation, while enrollment functions like enrol_get_my_courses might contribute to improper course ID selection. The high confidence in core_user::get_participants aligns with the vulnerability's core mechanism described in advisories.