GHSA-8r7x-qq55-74v2

Suggest an improvement
Source
https://github.com/advisories/GHSA-8r7x-qq55-74v2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r7x-qq55-74v2/GHSA-8r7x-qq55-74v2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8r7x-qq55-74v2
Aliases
  • CVE-2013-1830
Published
2022-05-13T01:12:57Z
Modified
2024-02-16T08:18:46.589650Z
Summary
Moodle does not enforce the forceloginforprofiles setting
Details

user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search.

References

Affected packages

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.1.10

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.8

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.5

Affected versions

v2.*

v2.3.4

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0
Fixed
2.4.2

Affected versions

v2.*

v2.4.0
v2.4.1