Moodle Custom Certificate Plugin Authorization Bypass Vulnerability Allowing Cross-Course Data Tampering

A critical authorization bypass vulnerability has been identified in the Moodle Custom Certificate plugin, specifically in versions prior to 4.4.9 and 5.0.3. The vulnerability allows teachers with the 'mod/customcert:manage' capability in one course to read and silently overwrite certificate elements in other courses. This issue arises because the 'elementid' parameter, which is user-controlled, is not properly validated against the authorized context before being processed. As a result, attackers can exploit this flaw to access and modify certificate data across different courses within the same Moodle installation.

Impact

Exploitation of this vulnerability leads to unauthorized cross-course information disclosure and data tampering. Affected users can extract and modify certificate element configurations, including text, formatting, positioning, and grade display settings, on behalf of other courses.

Reproduction

To reproduce this vulnerability, a teacher must be assigned the 'mod/customcert:manage' capability in one course. Once this is established, the teacher can send a request to the 'core_get_fragment' callback with a context ID that belongs to their course and an element ID that belongs to a different course. The server will respond with the full edit form HTML for the specified element, including all configuration data. Similarly, the 'mod_customcert_save_element' web service can be used to overwrite element properties in the other course, effectively tampering with the certificate data.

Remediation

Users can update to Moodle Custom Certificate plugin versions 4.4.9 or 5.0.3 to address this vulnerability.