Miggo Logo

CVE-2022-0333: Insufficient user authorization in Moodle

3.8

CVSS Score
3.1

Basic Information

EPSS Score
0.48184%
Published
1/28/2022
Updated
9/13/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.11, < 3.11.53.11.5
moodle/moodlecomposer>= 3.10, < 3.10.83.10.8
moodle/moodlecomposer>= 3.9, < 3.9.113.9.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from system-level 'calendar:manageentries' capability checks that didn't differentiate between user events and other event types. The patch introduced calendar_can_manage_non_user_event_in_system() and calendar_can_manage_user_event() to add these restrictions. The original functions listed above contained direct has_capability('moodle/calendar:manageentries', $sitecontext) checks that were replaced in the patch, indicating they were the source of excessive permissions. The commit message and CWE-863 classification confirm authorization checks were missing for user event types in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Moo*l* in v*rsions *.** to *.**.*, *.** to *.**.*, *.* to *.*.** *n* **rli*r unsupport** v*rsions. T** **l*n**r:m*n****ntri*s **p**ility *llow** m*n***rs to ****ss or mo*i*y *ny **l*n**r *v*nt, *ut s*oul* **v* ***n r*stri*t** *rom

Reasoning

T** vuln*r**ility st*mm** *rom syst*m-l*v*l '**l*n**r:m*n****ntri*s' **p**ility ****ks t**t *i*n't *i***r*nti*t* **tw**n us*r *v*nts *n* ot**r *v*nt typ*s. T** p*t** intro*u*** **l*n**r_**n_m*n***_non_us*r_*v*nt_in_syst*m() *n* **l*n**r_**n_m*n***_us