4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-28334

GHSA ID

GHSA-hh52-g5c4-wprh

EPSS Score

0.50836%

CWE

CWE-200

Published

3/23/2023

Updated

4/29/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28334

CVE-2023-28334: Moodle may allow authenticated users to enumerate other user's names via learning plans page

Authenticated users were able to enumerate other users' names via the learning plans page.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-28334

CVE-2023-28334:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-28334

GHSA ID

GHSA-hh52-g5c4-wprh

EPSS Score

0.50836%

CWE

CWE-200

Published

3/23/2023

Updated

4/29/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
moodle/moodle	composer	>= 4.1.0, < 4.1.2	4.1.2
moodle/moodle	composer	>= 4.0.0, < 4.0.7	4.0.7
moodle/moodle	composer	>= 3.11.0, < 3.11.13	3.11.13
moodle/moodle	composer	< 3.9.20	3.9.20

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two functions in page_helper.php that set the page heading using the target user's full name. The patch removed the $PAGE->set_heading(fullname($user)) calls, which were leaking names. The CWE-639 (Authorization Bypass via User-Controlled Key) indicates attackers could manipulate the userid parameter to access unauthorized pages, while CWE-200 confirms the exposure of sensitive data (names). The removal of these lines in the commit directly addresses the information leak, confirming these functions as the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-28334: Moodle may allow authenticated users to enumerate other user's names via learning plans page

CVE-2023-28334:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.3

4.3

CVE-2023-28334: Moodle may allow authenticated users to enumerate other user's names via learning plans page

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI