Lucene search

GitHub Advisory DatabaseGHSA-59J6-8G7W-PRF7

HistoryMay 13, 2022 - 1:12 a.m.

Moodle exposes hidden grades to students

2022-05-1301:12:41

CWE-200

GitHub Advisory Database

github.com

moodle

grades

sensitive information

student role

web service

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

AI Score

Confidence

Low

EPSS

0.002

Percentile

52.7%

JSON

lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

Affected configurations

Vulners

Node

moodlemoodleRange2.7.0–2.7.3

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766

openwall.com/lists/oss-security/2014/11/17/11

github.com/advisories/GHSA-59j6-8g7w-prf7

github.com/moodle/moodle/commit/3b8876f5ef2b5cde1e9de2599efd03d02bdaf7d8

moodle.org/mod/forum/discuss.php?d=275153

nvd.nist.gov/vuln/detail/CVE-2014-7831

web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

AI Score

Confidence

Low

EPSS

0.002

Percentile

52.7%

JSON

Related for GHSA-59J6-8G7W-PRF7