CVE-2022-0333: Insufficient user authorization in Moodle
3.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.48184%
CWE
Published
1/28/2022
Updated
9/13/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
moodle/moodle | composer | >= 3.11, < 3.11.5 | 3.11.5 |
moodle/moodle | composer | >= 3.10, < 3.10.8 | 3.10.8 |
moodle/moodle | composer | >= 3.9, < 3.9.11 | 3.9.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from system-level 'calendar:manageentries' capability checks that didn't differentiate between user events and other event types. The patch introduced calendar_can_manage_non_user_event_in_system() and calendar_can_manage_user_event() to add these restrictions. The original functions listed above contained direct has_capability('moodle/calendar:manageentries', $sitecontext) checks that were replaced in the patch, indicating they were the source of excessive permissions. The commit message and CWE-863 classification confirm authorization checks were missing for user event types in these functions.