VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 11, 2012· Updated Apr 29, 2026

CVE-2011-4300

CVE-2011-4300

Description

Moodle file_browser component in 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to access sensitive category and course data without proper authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moodle file_browser component in 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to access sensitive category and course data without proper authentication.

Vulnerability

The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data [1]. The get_file_info methods in course_file_browser and module_file_browser classes lacked checks for user login, course visibility, enrollment, and activity visibility [3][4]. This allowed unauthorized access to file information.

Exploitation

An attacker can send a crafted request for a file to the file_browser component without being logged in or enrolled in the course [1][3]. The fix added checks for isloggedin(), course visibility, is_viewing(), is_enrolled(), and uservisible for activities [3][4]. No authentication or special privileges are required; the attacker only needs network access to the Moodle instance.

Impact

Successful exploitation allows a remote attacker to obtain potentially sensitive information about categories and courses, such as file listings and metadata [1]. This could expose hidden course names, activity details, or other data that should be restricted to enrolled users or those with appropriate permissions.

Mitigation

The vulnerability is fixed in Moodle 2.0.5 and 2.1.2, released in December 2011 [2]. Administrators should upgrade to these versions or later. No workaround is documented; the fix involves adding access control checks in the file_browser code [3][4]. Moodle 1.9.14 also received related fixes [2].

References
  1. NVD - CVE-2011-4300
  2. 747444 – (CVE-2011-4300, CVE-2011-4301, CVE-2011-4302, CVE-2011-4303, CVE-2011-4304, CVE-2011-4305, CVE-2011-4306, CVE-2011-4307, CVE-2011-4308, CVE-2011-4309) moodle: Multiple security fixes in 2.1.2, 2.0.5, and 1.9.14
  3. MDL-27586 fix file_browser access control · moodle/moodle@f6b07c4
  4. Merge branch 'w31_MDL-27586_m20_browser' of git://github.com/skodak/m… · moodle/moodle@81c7799

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
>= 2.1, < 2.1.22.1.2
moodle/moodlePackagist
>= 2.0.0, < 2.0.52.0.5

Affected products

8
  • Moodle/Moodle7 versions
    cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:composer/moodle/moodle
    Range: >= 2.1, < 2.1.2

Patches

3
6f7c43c7de8f

Merge branch 'w31_MDL-27586_m21_browser' of git://github.com/skodak/moodle into MOODLE_21_STABLE

https://github.com/moodle/moodleSam HemelrykAug 8, 2011via ghsa
commit
2 files changed · +28 1
  • lib/filebrowser/file_info_context_course.php+10 0 modified
    @@ -53,10 +53,20 @@ public function __construct($browser, $context, $course) {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
         if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) {
             return null;
         }
 
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
+            // no peaking here if not enrolled or inspector
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
  • lib/filebrowser/file_info_context_module.php+18 1 modified
    @@ -75,11 +75,28 @@ public function __construct($browser, $context, $course, $cm, $modname) {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
-        if (!is_enrolled($this->context) and !is_viewing($this->context)) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
+        $coursecontext = get_course_context($this->context);
+        if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) {
+            return null;
+        }
+
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
             // no peaking here if not enrolled or inspector
             return null;
         }
 
+        $modinfo = get_fast_modinfo($this->course);
+        $cminfo = $modinfo->get_cm($this->cm->id);
+        if (!$cminfo->uservisible) {
+            // activity hidden sorry
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
81c77993e380

Merge branch 'w31_MDL-27586_m20_browser' of git://github.com/skodak/moodle into MOODLE_20_STABLE

https://github.com/moodle/moodleSam HemelrykAug 8, 2011via ghsa
commit
2 files changed · +28 1
  • lib/filebrowser/file_info_context_course.php+10 0 modified
    @@ -53,10 +53,20 @@ public function __construct($browser, $context, $course) {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
         if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) {
             return null;
         }
 
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
+            // no peaking here if not enrolled or inspector
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
  • lib/filebrowser/file_info_context_module.php+18 1 modified
    @@ -75,11 +75,28 @@ public function __construct($browser, $context, $course, $cm, $modname) {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
-        if (!is_enrolled($this->context) and !is_viewing($this->context)) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
+        $coursecontext = get_course_context($this->context);
+        if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) {
+            return null;
+        }
+
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
             // no peaking here if not enrolled or inspector
             return null;
         }
 
+        $modinfo = get_fast_modinfo($this->course);
+        $cminfo = $modinfo->get_cm($this->cm->id);
+        if (!$cminfo->uservisible) {
+            // activity hidden sorry
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
f6b07c4da54a

MDL-27586 fix file_browser access control

https://github.com/moodle/moodlePetr SkodaAug 6, 2011via ghsa
commit
2 files changed · +28 1
  • lib/filebrowser/file_info_context_course.php+10 0 modified
    @@ -53,10 +53,20 @@ public function __construct($browser, $context, $course) {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
         if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $this->context)) {
             return null;
         }
 
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
+            // no peaking here if not enrolled or inspector
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }
  • lib/filebrowser/file_info_context_module.php+18 1 modified
    @@ -75,11 +75,28 @@ public function __construct($browser, $context, $course, $cm, $modname) {
      * @param $filename
      */
     public function get_file_info($component, $filearea, $itemid, $filepath, $filename) {
-        if (!is_enrolled($this->context) and !is_viewing($this->context)) {
+        // try to emulate require_login() tests here
+        if (!isloggedin()) {
+            return null;
+        }
+
+        $coursecontext = get_course_context($this->context);
+        if (!$this->course->visible and !has_capability('moodle/course:viewhiddencourses', $coursecontext)) {
+            return null;
+        }
+
+        if (!is_viewing($this->context) and !is_enrolled($this->context)) {
             // no peaking here if not enrolled or inspector
             return null;
         }
 
+        $modinfo = get_fast_modinfo($this->course);
+        $cminfo = $modinfo->get_cm($this->cm->id);
+        if (!$cminfo->uservisible) {
+            // activity hidden sorry
+            return null;
+        }
+
         if (empty($component)) {
             return $this;
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.