-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 4.1.13 | 4.1.13 |
| moodle/moodle | composer | >= 4.2.0-beta, < 4.2.10 | 4.2.10 |
| moodle/moodle | composer | >= 4.3.0-beta, < 4.3.7 | 4.3.7 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.3 | 4.4.3 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stemmed from missing capability checks in dynamic table handlers. The key modification in the patch was adding a has_capability() call in lib/table/classes/external/dynamic/get.php's execute method. This indicates the execute method previously processed requests without proper authorization validation. The interface change (adding has_capability() requirement) and exception addition in this endpoint confirm this was the missing security control. Other modified files implement the new capability method but weren't themselves vulnerable - the root issue was in the request handling flow controlled by get.php's execute method.