-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 4.1.18 | 4.1.18 |
| moodle/moodle | composer | >= 4.3.0-beta, < 4.3.12 | 4.3.12 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.8 | 4.4.8 |
| moodle/moodle | composer | >= 4.5.0-beta, < 4.5.4 | 4.5.4 |
Miggo AIRoot Cause AnalysisThe vulnerability is an Insecure Direct Object Reference (IDOR) where user-supplied 'contextid' parameters were not properly validated against the user's permissions. The analysis of the provided commit (bd6ec0ac84cf0f73ab35e7e244e1f9b06929083a) shows changes in the 'cohort/classes/reportbuilder/local/systemreports/cohorts.php' file. Specifically, the methods 'initialise', 'can_view', and 'add_actions' were modified to stop using the 'contextid' parameter directly from the input and instead rely on the current user's context ($this->get_context()). These methods were responsible for fetching data, checking permissions, and generating URLs based on the potentially manipulated 'contextid', making them vulnerable. The changes in 'cohort/index.php' are related to how this 'cohorts' class is instantiated, removing the direct passing of 'contextid' as a report parameter, relying on the internal fixes within the 'cohorts' class methods.
PHPPHPOngoing coverage of React2Shell