Miggo Logo

CVE-2024-45689: Moodle allows users to retrieve information they did not have permission to access

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.21162%
Published
11/20/2024
Updated
11/20/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 4.1.134.1.13
moodle/moodlecomposer>= 4.2.0-beta, < 4.2.104.2.10
moodle/moodlecomposer>= 4.3.0-beta, < 4.3.74.3.7
moodle/moodlecomposer>= 4.4.0-beta, < 4.4.34.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing capability checks in dynamic table handlers. The key modification in the patch was adding a has_capability() call in lib/table/classes/external/dynamic/get.php's execute method. This indicates the execute method previously processed requests without proper authorization validation. The interface change (adding has_capability() requirement) and exception addition in this endpoint confirm this was the missing security control. Other modified files implement the new capability method but weren't themselves vulnerable - the root issue was in the request handling flow controlled by get.php's execute method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Moo*l*. *yn*mi* t**l*s *i* not *n*or** **p**ility ****ks, w*i** r*sult** in us*rs **vin* t** **ility to r*tri*v* in*orm*tion t**y *i* not **v* p*rmission to ****ss.

Reasoning

T** vuln*r**ility st*mm** *rom missin* **p**ility ****ks in *yn*mi* t**l* **n*l*rs. T** k*y mo*i*i**tion in t** p*t** w*s ***in* * **s_**p**ility() **ll in li*/t**l*/*l*ss*s/*xt*rn*l/*yn*mi*/**t.p*p's *x**ut* m*t*o*. T*is in*i**t*s t** *x**ut* m*t*o*