Miggo Logo
Miggo Vulnerability Database
CVE-2022-40316

CVE-2022-40316: Moodle No groups filtering in H5P activity attempts report

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-40316
GHSA ID
GHSA-385f-vgq7-8hhx
EPSS Score
0.42018%
CWE
CWE-668
Published
10/1/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.9, < 3.9.173.9.17
moodle/moodlecomposer>= 3.11, < 3.11.103.11.10
moodle/moodlecomposer>= 4.0, < 4.0.44.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing group filtering in H5P activity reports. Moodle's standard pattern for group-restricted data involves: 1) Checking group mode 2) Adding group joins/conditions in SQL 3) Using groups API. The affected functions likely failed to implement these steps when querying attempt data. The high confidence comes from: 1) Problem matching Moodle's group handling pattern 2) References to MDL-71662/MDL-72012 tracking reports 3) Workaround involving capability removal 4) CWE-668/862 alignment with missing access controls in data retrieval functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **P **tivity *tt*mpts r*port *i* not *ilt*r *y *roups, w*i** in s*p*r*t* *roups mo** *oul* r*v**l in*orm*tion to non-**itin* t*****rs **out *tt*mpts/us*rs in *roups t**y s*oul* not **v* ****ss to.

Reasoning

T** vuln*r**ility st*ms *rom missin* *roup *ilt*rin* in **P **tivity r*ports. Moo*l*'s st*n**r* p*tt*rn *or *roup-r*stri*t** **t* involv*s: *) ****kin* *roup mo** *) ***in* *roup joins/*on*itions in `SQL` *) Usin* *roups `*PI`. T** *****t** *un*tions