CVE-2023-28336: Moodle may allow teachers to access the names of users they could not otherwise access

March 23, 2023 (updated November 9, 2023)

Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.

References

git.moodle.org/gw?p=moodle.git;a=commit;h=a931a7f8cec3657827268837b27962a13817ca2b
github.com/advisories/GHSA-prjm-2fj2-787f
github.com/moodle/moodle/commit/a931a7f8cec3657827268837b27962a13817ca2b
moodle.org/mod/forum/discuss.php?d=445068
nvd.nist.gov/vuln/detail/CVE-2023-28336

Code Behaviors & Features

Detect and mitigate CVE-2023-28336 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →