Executive Summary

This vulnerability in Moodle allows users who have permission to create calendar events—but not permission to view hidden groups—to see the names of those hidden groups. This happens because of a missing capability check in the calendar event creation workflow, which unintentionally exposes private or restricted group names to unauthorized users. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by exposing the names of hidden or private groups within a Moodle course to users who should not have access to that information. This could lead to unintended disclosure of confidential group information, potentially compromising privacy and trust within the organization or educational institution using Moodle. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying the Moodle version in use to see if it falls within the affected ranges (5.0 to 5.0.2, 4.5 to 4.5.6, 4.4 to 4.4.10, 4.1 to 4.1.20). Additionally, checking user permissions related to calendar event creation and attempting to access hidden group names through the calendar event creation interface can help detect the issue. Specific commands to check Moodle version on the server include: `grep '$release' version.php` in the Moodle installation directory or checking the version via the Moodle admin interface. There are no direct network commands provided to detect this vulnerability. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Moodle to a fixed version: 5.0.3, 4.5.7, 4.4.11, or 4.1.21 or later. Until an upgrade can be performed, review and restrict permissions for users who can create calendar events to prevent unauthorized access to hidden group names. [1]

Useful 0 Not Useful 0