The vulnerability stems from improper access control when updating the 'start page' user preference. Moodle's user preference system uses functions like core_user::update_preference and useredit_update_user_preference to handle these updates. The lack of capability checks (e.g., verifying 'moodle/user:editprofile' or ensuring the acting user matches the target user) in these functions would allow attackers to arbitrarily set another user's start page. This aligns with the CWE-284 description and the advisory's mention of insufficient limitations on preference modification. While the exact commit diff isn't available, Moodle's architecture and the vulnerability's nature strongly implicate these core preference-handling functions.
Miggo AI