-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability exists because Moodle was using an insecure method to retrieve group information for the calendar event form. The functions core_calendar_external::submit_create_update_form and calendar_output_fragment_event_form both utilized groups_get_course_data(), which fetched all groups within a course, failing to check if the user had the necessary permissions to view them. This allowed users with calendar event creation permissions to see the names of all groups, including those that were hidden. The patch addresses this by replacing the insecure function call with groups_get_all_groups(), which correctly respects group visibility settings and user capabilities. Therefore, any user who could trigger the creation or editing of a calendar event would cause these vulnerable functions to be executed, leading to the disclosure of sensitive group information.
core_calendar_external::submit_create_update_formpublic/calendar/externallib.php
calendar_output_fragment_event_formpublic/calendar/lib.php
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 5.0.0-beta, < 5.0.3 | 5.0.3 |
| moodle/moodle | composer | >= 4.5.0-beta, < 4.5.7 | 4.5.7 |
| moodle/moodle | composer | >= 4.2.0-beta, < 4.4.11 | 4.4.11 |
| moodle/moodle | composer | < 4.1.21 | 4.1.21 |
Ongoing coverage of React2Shell