-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper authorization checks in the bulk messaging feature of Feedback's non-respondents report. Based on CWE-639 and CWE-863 patterns, the core issue involves user-controlled input (recipient IDs) being used without proper validation against the legitimate non-respondent dataset. Moodle's module structure suggests the feedback_send_message_to_nonrespondents function in mod/feedback/lib.php would handle this messaging logic. The high confidence comes from: 1) The vulnerability description explicitly mentions the non-respondents report context 2) IDOR patterns require a function processing user-supplied IDs without authorization checks 3) Standard Moodle security fixes for similar issues are typically implemented in module library files like lib.php.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 4.1.12 | 4.1.12 |
| moodle/moodle | composer | >= 4.2.0-beta, < 4.2.9 | 4.2.9 |
| moodle/moodle | composer | >= 4.3.0-beta, < 4.3.6 | 4.3.6 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.2 | 4.4.2 |