CVE-2010-1617
Description
Moodle user/view.php fails to enforce role checks, letting authenticated users view other users' full names on course profile pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle user/view.php fails to enforce role checks, letting authenticated users view other users' full names on course profile pages.
Vulnerability
In Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, the file user/view.php does not properly validate a user's role when displaying the course profile page. This allows remote authenticated users who are enrolled in a course to view the full names of other users in that course, bypassing intended role-based access controls [1].
Exploitation
An attacker must have a valid authenticated session on a vulnerable Moodle instance and be enrolled in a course. By navigating to the course profile page (e.g., /user/view.php with appropriate parameters for a target user in the same course), the attacker can retrieve the full name of that user. No special privileges or additional steps beyond normal web access are required [1].
Impact
An authenticated user can obtain full names of other users in the same course, resulting in unauthorized disclosure of personally identifiable information. This information disclosure could be used for social engineering or to map user accounts. The vulnerability does not provide access to roles, passwords, or other sensitive data, but it violates user privacy expectations [1].
Mitigation
The vulnerability is fixed in Moodle 1.8.12 and 1.9.8, both released in 2010. Administrators should upgrade to these versions or later. For sites still running older unsupported versions, no workaround is available, and upgrading is strongly recommended. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 1.8.0, < 1.8.12 | 1.8.12 |
moodle/moodlePackagist | >= 1.9.0, < 1.9.8 | 1.9.8 |
Affected products
19cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-q53j-c866-h9mwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-1617ghsaADVISORY
- cvs.moodle.org/moodle/user/view.phpnvdWEB
- lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.htmlnvdWEB
- moodle.org/securityghsaWEB
- moodle.org/security/nvd
- www.vupen.com/english/advisories/2010/1107nvd
News mentions
0No linked articles in our index yet.