Miggo Logo

CVE-2024-25983: Authorization Bypass in moodle

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.3346%
Published
2/19/2024
Updated
1/23/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 4.3.0, < 4.3.34.3.3
moodle/moodlecomposer>= 4.2.0, < 4.2.64.2.6
moodle/moodlecomposer< 4.1.94.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched by modifying block_comments_comment_permissions in blocks/comments/lib.php. The pre-patch version lacked context-aware permission checks, enabling authorization bypass. The commit adds critical validation of user context and block instance existence, directly addressing CWE-639 by ensuring permissions depend on contextual authorization rather than blanket access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Insu**i*i*nt ****ks in * w** s*rvi** m*** it possi*l* to *** *omm*nts to t** *omm*nts *lo*k on *not**r us*r's **s**o*r* w**n it w*s not ot**rwis* *v*il**l* (*.*., on t**ir pro*il* p***).

Reasoning

T** vuln*r**ility w*s p*t**** *y mo*i*yin* *lo*k_*omm*nts_*omm*nt_p*rmissions in *lo*ks/*omm*nts/li*.p*p. T** pr*-p*t** v*rsion l**k** *ont*xt-*w*r* p*rmission ****ks, *n**lin* *ut*oriz*tion *yp*ss. T** *ommit ***s *riti**l v*li**tion o* us*r *ont*xt