-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 4.1.13 | 4.1.13 |
| moodle/moodle | composer | >= 4.2.0-beta, < 4.2.10 | 4.2.10 |
| moodle/moodle | composer | >= 4.3.0-beta, < 4.3.7 | 4.3.7 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.3 | 4.4.3 |
Miggo AIRoot Cause AnalysisThe GitHub patch shows modifications to password validation logic in mod/lesson/locallib.php. The original code used '==' comparisons between $this->properties->password and both md5(trim($userpassword)) and trim($userpassword). PHP's loose comparison allows values like '0e12345' (which evaluates to 0 in scientific notation) to match other '0e...' hashes. The fix replaced '==' with '===' strict comparisons and added explicit string casting, confirming this was the vulnerable function. The CWE-289 (Authentication Bypass) classification and commit message ('stricter equality checks') further validate this analysis.
PHPPHPOngoing coverage of React2Shell