VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jan 20, 2017· Updated May 13, 2026

CVE-2016-8642

CVE-2016-8642

Description

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
>= 3.1.0, < 3.1.33.1.3
moodle/moodlePackagist
>= 3.0.0, < 3.0.73.0.7
moodle/moodlePackagist
>= 2.9.0, < 2.9.92.9.9
moodle/moodlePackagist
>= 2.8.0, <= 2.8.12
moodle/moodlePackagist
>= 2.7.0, < 2.7.172.7.17

Affected products

33
  • Moodle/Moodle33 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 32 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=2.7.16
    • cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.11:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.12:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.8.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:2.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:3.1.2:*:*:*:*:*:*:*

Patches

1
cf0b9432d81b

MDL-53744 question file access: fix access checks

https://github.com/moodle/moodleTim HuntSep 26, 2016via ghsa
commit
2 files changed · +6 5
  • question/type/essay/question.php+1 1 modified
    @@ -140,7 +140,7 @@ public function check_file_access($qa, $options, $component, $filearea, $args, $
             return $this->responseformat === 'editorfilepicker';
 
         } else if ($component == 'qtype_essay' && $filearea == 'graderinfo') {
-            return $options->manualcomment;
+            return $options->manualcomment && $args[0] == $this->id;
 
         } else {
             return parent::check_file_access($qa, $options, $component,
  • question/type/questionbase.php+5 4 modified
    @@ -413,11 +413,11 @@ public function make_html_inline($html) {
      */
     public function check_file_access($qa, $options, $component, $filearea, $args, $forcedownload) {
         if ($component == 'question' && $filearea == 'questiontext') {
-            // Question text always visible.
-            return true;
+            // Question text always visible, but check it is the right question id.
+            return $args[0] == $this->id;
 
         } else if ($component == 'question' && $filearea == 'generalfeedback') {
-            return $options->generalfeedback;
+            return $options->generalfeedback && $args[0] == $this->id;
 
         } else {
             // Unrecognised component or filearea.
@@ -681,7 +681,8 @@ protected function check_combined_feedback_file_access($qa, $options, $filearea)
             list($notused, $state) = $this->grade_response($response);
         }
 
-        return $options->feedback && $state->get_feedback_class() . 'feedback' == $filearea;
+        return $options->feedback && $state->get_feedback_class() . 'feedback' == $filearea &&
+                $args[0] == $this->id;
     }
 
     /**

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.