CVE-2024-48899
📋 TL;DR
This vulnerability in Moodle allows authenticated users to view course badge lists for courses they shouldn't have access to. It's an improper access control issue affecting Moodle installations where users can access the badges functionality. All Moodle administrators should address this to prevent unauthorized information disclosure.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could enumerate all course badges across the entire Moodle instance, potentially revealing sensitive course structures, participation patterns, or internal organizational information.
Likely Case
Users accidentally or intentionally viewing badge lists for courses they're not enrolled in, leading to minor information disclosure about course completion patterns.
If Mitigated
With proper access controls, users can only see badges for courses they're authorized to access, preventing any unauthorized information disclosure.
🎯 Exploit Status
Exploitation requires authenticated access to Moodle. Attackers would need to manipulate requests to the badges listing endpoint to access unauthorized course badge lists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Moodle security advisories for specific patched versions
Vendor Advisory: https://moodle.org/security/
Restart Required: No
Instructions:
1. Check Moodle security advisories for the specific patch version. 2. Backup your Moodle installation and database. 3. Apply the official Moodle patch or upgrade to the patched version. 4. Verify the fix by testing badge access controls.
🔧 Temporary Workarounds
Disable Badges Feature
allTemporarily disable the badges functionality to prevent exploitation while awaiting patch
Navigate to Site administration > Advanced features > Enable badges (set to No)
Restrict Badges Access
allUse Moodle role permissions to restrict who can view badges
Navigate to Site administration > Users > Permissions > Define roles > Edit appropriate roles > Capabilities: moodle/badges:viewbadges (set to prohibit)
🧯 If You Can't Patch
- Implement network segmentation to restrict Moodle access to authorized users only
- Enable detailed logging of badge access attempts and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Test with two user accounts: one enrolled in a course and one not enrolled. Both should not be able to list badges for courses they're not authorized to access.Check Version:
Check Moodle version via Site administration > Notifications page or by examining version.php fileVerify Fix Applied:
After patching, repeat the vulnerable test scenario. Unauthorized users should receive access denied errors when trying to fetch course badge lists.📡 Detection & Monitoring
Log Indicators:
- Multiple failed badge access attempts from same user
- User accessing badge lists for courses they're not enrolled in
- Unusual badge-related API calls
Network Indicators:
- HTTP requests to badges API endpoints with course IDs the user shouldn't access
- Patterns of badge list enumeration
SIEM Query:
source="moodle_logs" AND (event="badge_access" OR url="*/badges*") AND user NOT IN authorized_course_users