CVE-2021-43560 in Moodle
Summary
by MITRE • 11/22/2021
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
This vulnerability exists in Moodle learning management systems where insufficient capability checks allow unauthorized users to access calendar action events belonging to other users. The flaw affects multiple versions including 3.11.0 through 3.11.3, 3.10.0 through 3.10.7, 3.9.0 through 3.9.10, and earlier unsupported releases. The vulnerability stems from inadequate access control mechanisms that fail to properly validate user permissions when retrieving calendar data, creating a significant information disclosure risk.
The technical implementation of this vulnerability resides in the calendar event retrieval functionality where the system does not adequately verify whether the requesting user has proper authorization to access specific calendar events. This represents a direct violation of the principle of least privilege and demonstrates a capability check failure that aligns with CWE-284 Access Control Issues. The flaw allows authenticated users to potentially enumerate and access calendar events that should be restricted to specific individuals or roles, effectively bypassing the intended access controls.
Operationally, this vulnerability enables attackers to gain unauthorized visibility into other users' calendar events, potentially exposing sensitive personal information, scheduled meetings, deadlines, and organizational activities. The impact extends beyond simple information disclosure as calendar events often contain confidential details about user activities, project timelines, and organizational planning. This weakness can be exploited by users with lower privileges to access data that should be restricted to administrators, instructors, or specific course participants, creating potential privacy violations and operational security concerns.
The vulnerability directly maps to attack techniques documented in the MITRE ATT&CK framework under T1213 Data from Information Repositories and T1078 Valid Accounts, as it leverages legitimate user accounts to access restricted information repositories. Organizations using affected Moodle versions should immediately apply the available patches and updates from the Moodle security team. Additional mitigations include implementing strict role-based access controls, monitoring calendar access logs for unusual patterns, and ensuring proper capability checks are enforced at all data retrieval points. Security teams should also conduct comprehensive audits of access control mechanisms and consider implementing network segmentation to limit potential exploitation scope.