-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis of the provided commit 022bfbfb564d8f3866a43d26eed215213bbdd28a clearly indicates that the vulnerability is located in the get_users_within_quiz function within the mod_quiz\notification_helper class. The vulnerability description states that Moodle was sending quiz-related messages to inactive or suspended users. The patch addresses this by adding the onlyactive: true parameter to the get_enrolled_users call inside get_users_within_quiz. This change ensures that only users with an active enrolment in the course are returned, thus preventing the information leak. The test file changes in the same commit further confirm this by adding assertions to ensure suspended users are not included in the function's output. Therefore, the mod_quiz\notification_helper::get_users_within_quiz function is the exact location of the vulnerability.
mod_quiz\notification_helper::get_users_within_quizmod/quiz/classes/notification_helper.php
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 5.0.0-beta, < 5.0.3 | 5.0.3 |
| moodle/moodle | composer | >= 4.5.0-beta, < 4.5.7 | 4.5.7 |
Ongoing coverage of React2Shell