CVE-2019-10188 in Moodle
Summary
by MITRE
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/08/2025
The vulnerability described in CVE-2019-10188 represents a critical access control flaw within the Moodle learning management system that undermines the integrity of quiz group management functionality. This issue affects Moodle versions prior to 3.7.1, 3.6.5, and 3.5.7, exposing educational institutions to potential unauthorized modifications of quiz configurations. The flaw specifically targets the quiz group override mechanism, which is designed to allow teachers to customize quiz settings for different student groups while maintaining proper access boundaries between these groups.
The technical nature of this vulnerability stems from insufficient authorization checks within the quiz group override functionality. When teachers attempt to modify group overrides for quiz activities, the system fails to properly validate whether the requesting user has the appropriate permissions to make changes to overrides belonging to different groups. This authorization bypass allows malicious or unauthorized users to access and modify quiz configurations that should be restricted to specific group administrators. The vulnerability operates at the application level and affects the core quiz management components of Moodle's access control system.
From an operational standpoint, this vulnerability poses significant risks to educational institutions using Moodle for assessment management. Teachers who should only have access to their own group's quiz configurations can potentially manipulate quiz settings for other groups, leading to unfair advantages, compromised exam integrity, and potential academic misconduct. The impact extends beyond simple configuration changes as these overrides can affect quiz timing, question availability, grading policies, and other critical assessment parameters. This flaw directly violates the principle of least privilege and could enable unauthorized access to sensitive assessment data and student performance information.
The vulnerability aligns with CWE-284, which addresses improper access control in software systems, and demonstrates a clear breakdown in the authorization mechanisms that should protect distinct user roles within the platform. From an ATT&CK framework perspective, this issue maps to privilege escalation techniques and can be leveraged to gain unauthorized access to restricted system functionality. Organizations should immediately implement the vendor-provided patches for versions 3.7.1, 3.6.5, and 3.5.7 to address this vulnerability. Additionally, institutions should conduct thorough audits of their quiz configurations and review user permissions to ensure proper access controls remain in place. Regular security assessments and monitoring of user activities within quiz management modules should be implemented as ongoing mitigation strategies to prevent similar issues from emerging in the future.