CVE-2014-0009 in Moodle
Summary
by MITRE
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/31/2022
This vulnerability exists in Moodle learning management system versions prior to specific patches, specifically affecting versions through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1. The flaw resides in the course/loginas.php file which fails to properly validate user permissions when processing login as requests. This represents a privilege escalation vulnerability that undermines the security model of Moodle's group management system.
The technical flaw stems from insufficient capability checking within the login as functionality when Moodle is configured with SEPARATEGROUPS mode. In this configuration, users should only be able to access courses and groups they belong to, but the vulnerability allows authenticated users who do not possess the required moodle/site:accessallgroups capability to bypass these restrictions. The vulnerability occurs because the system accepts direct requests to the loginas.php endpoint without properly verifying whether the requesting user has sufficient permissions to perform the action across all groups.
When exploited, this vulnerability enables remote authenticated users to impersonate other users within the system, potentially gaining access to restricted course content, user data, and administrative functions. The impact is particularly severe because it allows users to perform login as actions across group boundaries, effectively circumventing the intended access controls that separate user groups in educational environments. This can lead to unauthorized data access, privacy violations, and potential system compromise through privilege escalation.
The vulnerability aligns with CWE-284 which describes improper access control, and maps to ATT&CK technique T1078 for valid accounts and privilege escalation. Organizations using affected Moodle versions should immediately apply the relevant security patches to address this issue. The recommended mitigation includes upgrading to patched versions of Moodle, implementing additional access controls, and monitoring for unauthorized login as activities. System administrators should also review user capabilities and ensure proper group management configurations are in place to prevent unauthorized access to restricted resources.