CVE-2017-15110 in Moodle
Summary
by MITRE
In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/11/2023
This vulnerability exists in Moodle version 3.x where student users can discover email addresses of other students enrolled in the same course through the Participants page search functionality. The flaw stems from insufficient access controls and authorization checks within the course participant listing mechanism, allowing any enrolled student to bypass normal email visibility restrictions. The vulnerability specifically affects the search functionality on the course participants page where users can input email addresses to filter participants, but the system fails to properly validate whether the requesting user has appropriate permissions to view the target user's email address.
The technical implementation flaw resides in the lack of proper user role validation and email visibility enforcement within the search and display logic. When students perform searches on the participants page, the system should verify that the requesting user has appropriate permissions to access the target user's email information based on the email visibility settings configured by course administrators. However, the current implementation allows unrestricted access to email addresses through the search interface regardless of the visibility settings that should normally restrict such information exposure.
This vulnerability creates significant operational impact by enabling students to enumerate and potentially guess email addresses of their peers, which can lead to various security and privacy concerns. The exposure of email addresses can facilitate social engineering attacks, spam campaigns, and unauthorized account access attempts. Attackers can systematically search for email addresses to identify valid accounts and then attempt credential guessing or phishing attacks against those users. The vulnerability essentially undermines the privacy controls that course administrators implement to protect student information and can compromise the overall security posture of educational institutions using Moodle.
The flaw aligns with CWE-284 Access Control Issues, specifically related to insufficient access control validation and improper authorization checks. It also maps to ATT&CK technique T1589 Enumeration of email addresses through the ability to harvest user contact information through legitimate system functionality. Organizations should implement immediate mitigations including enforcing proper access controls on participant search functionality, implementing rate limiting on search operations, and ensuring that email visibility settings are properly enforced regardless of search interface access. Additionally, administrators should review and restrict participant search capabilities to authorized users only, and consider implementing additional authentication requirements for sensitive data access. The vulnerability highlights the importance of maintaining proper security boundaries and access control enforcement even in seemingly benign user interface features.