CVE-2022-0334 in Moodle
Summary
by MITRE • 01/25/2022
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/09/2025
This vulnerability exists within the Moodle learning management system where inadequate access control mechanisms allow unauthorized users to view grade reports for courses they should not have access to. The flaw affects multiple versions including 3.11.4 and earlier, 3.10.8 and earlier, 3.9.11 and earlier, along with unsupported older releases. The core issue stems from insufficient capability checks that should normally enforce the gradereport/user:view permission required for accessing grade reports. This represents a critical authorization bypass vulnerability that undermines the security model of the platform.
The technical implementation of this flaw demonstrates a failure in the capability verification system where the application does not properly validate whether users possess the necessary permissions before granting access to grade report functionality. This misconfiguration allows users to exploit the system by directly accessing grade report URLs or through manipulated requests that bypass the normal permission checking mechanisms. The vulnerability operates at the application layer and could potentially be exploited by users with minimal privileges to gain information disclosure about course grades they should not be able to access.
From an operational impact perspective, this vulnerability compromises the integrity of grade reporting and academic data confidentiality within the Moodle environment. An attacker could potentially gain insights into their peers' academic performance, which may lead to social engineering attacks, grade manipulation attempts, or other malicious activities. The vulnerability affects the core functionality of grade reporting which is fundamental to the educational platform's operation and trust model. This issue directly impacts the principle of least privilege and could undermine the overall security posture of educational institutions relying on Moodle.
The vulnerability aligns with CWE-285, which addresses insufficient authorization checks in software systems, and represents a failure in access control implementation. From an attacker's perspective, this flaw could be categorized under the MITRE ATT&CK framework's privilege escalation and credential access tactics. The vulnerability could be exploited through direct manipulation of application parameters or by leveraging other weaknesses to gain unauthorized access to sensitive academic data. Organizations should implement immediate mitigations including applying the latest security patches, reviewing access control configurations, and monitoring for unauthorized access attempts to grade reporting functionality. The recommended remediation involves upgrading to patched versions of Moodle and ensuring proper capability checks are enforced throughout the application's grade reporting modules.