Miggo Logo

CVE-2024-45691: Moodle Lesson activity password bypass through PHP loose comparison

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.15124%
Published
11/20/2024
Updated
11/20/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 4.1.134.1.13
moodle/moodlecomposer>= 4.2.0-beta, < 4.2.104.2.10
moodle/moodlecomposer>= 4.3.0-beta, < 4.3.74.3.7
moodle/moodlecomposer>= 4.4.0-beta, < 4.4.34.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch shows modifications to password validation logic in mod/lesson/locallib.php. The original code used '==' comparisons between $this->properties->password and both md5(trim($userpassword)) and trim($userpassword). PHP's loose comparison allows values like '0e12345' (which evaluates to 0 in scientific notation) to match other '0e...' hashes. The fix replaced '==' with '===' strict comparisons and added explicit string casting, confirming this was the vulnerable function. The CWE-289 (Authentication Bypass) classification and commit message ('stricter equality checks') further validate this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Moo*l*. W**n r*stri*tin* ****ss to * l*sson **tivity wit* * p*sswor*, **rt*in p*sswor*s *oul* ** *yp*ss** or l*ss s**ur* *u* to * loos* *omp*rison in t** p*sswor*-****kin* lo*i*. T*is issu* only *****t** p*sswor*s s*t to "m**i* **

Reasoning

T** *it*u* p*t** s*ows mo*i*i**tions to p*sswor* v*li**tion lo*i* in `mo*/l*sson/lo**lli*.p*p`. T** ori*in*l *o** us** '==' *omp*risons **tw**n $t*is->prop*rti*s->p*sswor* *n* *ot* `m**(trim($us*rp*sswor*))` *n* `trim($us*rp*sswor*)`. P*P's loos* *om