Primary

Context

Moodle Insufficient Capability Checks in Messaging Web Service Allow User Detail Exposure

Vulnerability

Patched

A vulnerability in Moodle's messaging web service was identified, stemming from inadequate capability checks. This flaw enabled users to access and view the names and online statuses of other users. The issue affects Moodle versions 4.5 (up to 4.5.3), 4.4 (up to 4.4.7), 4.3 (up to 4.3.11), 4.1 (up to 4.1.17), and earlier unsupported versions.

Impact

Exploitation of this vulnerability allows for an Insecure Direct Object Reference (IDOR), where users can unauthorizedly access details about other users, specifically their names and online statuses.

Remediation

Users can upgrade to Moodle versions 4.5.4, 4.4.8, 4.3.12, or 4.1.18 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Moodle Insufficient Capability Checks in Messaging Web Service Allow User Detail Exposure

Vulnerability

Impact

Remediation

Affected Products

Moodle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating