Miggo Logo
Miggo Vulnerability Database
CVE-2024-38273

CVE-2024-38273: Moodle BigBlueButton web service leaks meeting joining information

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-38273
GHSA ID
GHSA-x29x-qwvx-fxr2
EPSS Score
0.34604%
CWE
CWE-284
Published
6/18/2024
Updated
11/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 4.4.0-beta, < 4.4.14.4.1
moodle/moodlecomposer>= 4.3.0-beta, < 4.3.54.3.5
moodle/moodlecomposer>= 4.2.0-beta, < 4.2.84.2.8
moodle/moodlecomposer< 4.1.114.1.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the missing 'can_join()' check in the execute() method of get_join_url.php. The patch explicitly adds this capability check and throws restricted_context_exception when unauthorized. The test case modification in get_join_url_test.php confirms this was the attack vector by testing prohibited users. The function's purpose (generating join URLs) and the CWE-284 classification directly map to this missing access control in the execute() method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Insu**i*i*nt **p**ility ****ks m**nt it w*s possi*l* *or us*rs to **in ****ss to *i**lu**utton join URLs t**y *i* not **v* p*rmission to ****ss.

Reasoning

T** vuln*r**ility st*ms *rom t** missin* '**n_join()' ****k in t** *x**ut*() m*t*o* o* **t_join_url.p*p. T** p*t** *xpli*itly ***s t*is **p**ility ****k *n* t*rows r*stri*t**_*ont*xt_*x**ption w**n un*ut*oriz**. T** t*st **s* mo*i*i**tion in **t_join