CVE-2019-10189 in Moodle
Summary
by MITRE
A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/09/2025
This vulnerability exists in the moodle learning management system where insufficient access controls allow teachers to manipulate assignment group overrides for groups they do not belong to. The flaw affects versions prior to 3.7.1, 3.6.5, and 3.5.7, representing a critical authorization bypass issue that undermines the integrity of assignment management within educational institutions. The vulnerability stems from inadequate validation of user permissions when processing group override modifications, enabling unauthorized teachers to modify assignment settings for groups outside their designated scope.
The technical implementation of this flaw occurs within the assignment module's group override functionality where the system fails to properly verify whether a teacher has administrative rights over the target group before allowing modifications to group-specific assignment overrides. This represents a classic case of insufficient authorization checks as classified under CWE-285, where the system grants privileges beyond what is intended for the authenticated user. The vulnerability operates at the application layer and can be exploited through normal user interaction without requiring special privileges or complex attack vectors.
From an operational perspective, this vulnerability poses significant risks to educational institutions as it allows teachers to manipulate assignment deadlines, grading criteria, and access permissions for other groups' assignments. Attackers could potentially extend assignment deadlines for competing groups, alter grading rubrics, or restrict access to assignment materials, thereby compromising academic fairness and integrity. The impact extends beyond individual assignments to potentially affect grade calculations, course progression, and overall learning outcomes for students. This vulnerability directly relates to the ATT&CK technique T1078.004 which involves valid accounts with insufficient privileges being used to gain unauthorized access to resources.
The mitigation strategy involves upgrading to the patched versions of moodle 3.7.1, 3.6.5, and 3.5.7 where proper access controls have been implemented to verify group membership and authorization before allowing override modifications. Organizations should also implement regular security audits of user roles and permissions, establish proper segregation of duties for assignment management, and monitor for unauthorized modifications to assignment settings. Additionally, implementing role-based access controls with explicit permissions for group override operations will help prevent similar vulnerabilities in the future. The fix addresses the root cause by enforcing proper authorization checks that validate both user credentials and group membership before permitting any modifications to assignment overrides.