CVE-2024-43429
📋 TL;DR
This vulnerability in Moodle allows unauthorized users to view hidden user profile fields through gradebook reports. Users without the 'view hidden user fields' capability can access sensitive information that should be restricted. This affects all Moodle instances where gradebook reports are accessible.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Exposure of sensitive personal information (email addresses, phone numbers, addresses) from hidden profile fields to unauthorized users, potentially leading to privacy violations, harassment, or targeted attacks.
Likely Case
Unauthorized viewing of contact information or other hidden profile data by students, teaching assistants, or other users who shouldn't have access to this information.
If Mitigated
Minimal impact if proper access controls and user permissions are already strictly enforced, though some information leakage may still occur.
🎯 Exploit Status
Exploitation requires authenticated access to Moodle and the ability to view gradebook reports. No special tools or advanced knowledge needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 4.3.8, 4.2.11, 4.1.14, 4.0.18
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=461197
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the appropriate patched version from moodle.org. 3. Replace the affected files with the patched versions. 4. Run the upgrade process through the web interface or CLI.
🔧 Temporary Workarounds
Disable gradebook reports
allTemporarily disable gradebook report access for users who don't need it
Navigate to Site administration > Users > Permissions > Define roles > Edit role capabilities > Set 'moodle/grade:viewall' to 'Prevent' for affected roles
Remove sensitive data from hidden fields
allClear any sensitive information from hidden user profile fields
Run SQL: UPDATE mdl_user_info_data SET data = '' WHERE fieldid IN (SELECT id FROM mdl_user_info_field WHERE visible = 0)
🧯 If You Can't Patch
- Restrict gradebook access to only essential personnel using role-based permissions
- Audit and remove sensitive information from all hidden user profile fields
🔍 How to Verify
Check if Vulnerable:
Check if hidden user profile fields appear in gradebook reports for users without 'view hidden user fields' capabilityCheck Version:
Check Moodle version in Site administration > General > Notifications or via CLI: php admin/cli/version.phpVerify Fix Applied:
Verify that hidden user profile fields no longer appear in gradebook reports for unauthorized users after patching📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to gradebook reports
- Multiple failed permission checks for 'view hidden user fields' capability
Network Indicators:
- Increased traffic to gradebook report URLs from unauthorized users
SIEM Query:
source="moodle_logs" AND (event="grade_report_viewed" OR event="capability_check_failed") AND user_role!="admin"