-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 4.1.13 | 4.1.13 |
| moodle/moodle | composer | >= 4.2.0-beta, < 4.2.10 | 4.2.10 |
| moodle/moodle | composer | >= 4.3.0-beta, < 4.3.7 | 4.3.7 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.3 | 4.4.3 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from missing user context validation in the delete_linked_login function. The original implementation (1) retrieved linked logins solely by ID, (2) derived user context from the linked account's userid, and (3) only checked general capability without ownership verification. The patch adds critical userid matching (USER->id) in the database query, confirming the vulnerability existed in the pre-patch version where user-controlled linkedloginid could be abused for unauthorized deletions. The test case addition further validates this was an authorization bypass scenario.
Ongoing coverage of React2Shell