Medium severity6.5NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026
CVE-2017-7532
CVE-2017-7532
Description
In Moodle 3.x, course creators are able to change system default settings for courses.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.3.0, < 3.3.1 | 3.3.1 |
moodle/moodlePackagist | >= 3.2.0, < 3.2.4 | 3.2.4 |
moodle/moodlePackagist | < 3.1.7 | 3.1.7 |
Affected products
22cpe:2.3:a:moodle:moodle:3.1.0:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:moodle:moodle:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.0:beta:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:3.3.1:*:*:*:*:*:*:*
Patches
26e861be6b7d4MDL-59409 admin: set admin user in unittest
1 file changed · +1 −0
lib/tests/admintree_test.php+1 −0 modified@@ -154,6 +154,7 @@ public function test_admin_setting_configexecutable() { public function test_config_logging() { global $DB; $this->resetAfterTest(); + $this->setAdminUser(); $DB->delete_records('config_log', array());
915f801546a5MDL-59409 admin: check access to every setting in category
2 files changed · +9 −5
admin/category.php+1 −1 modified@@ -89,7 +89,7 @@ $savebutton = false; $outputhtml = ''; foreach ($settingspage->children as $childpage) { - if ($childpage->is_hidden()) { + if ($childpage->is_hidden() || !$childpage->check_access()) { continue; } if ($childpage instanceof admin_externalpage) {
lib/adminlib.php+8 −4 modified@@ -8122,21 +8122,25 @@ function admin_find_write_settings($node, $data) { } if ($node instanceof admin_category) { - $entries = array_keys($node->children); - foreach ($entries as $entry) { - $return = array_merge($return, admin_find_write_settings($node->children[$entry], $data)); + if ($node->check_access()) { + $entries = array_keys($node->children); + foreach ($entries as $entry) { + $return = array_merge($return, admin_find_write_settings($node->children[$entry], $data)); + } } } else if ($node instanceof admin_settingpage) { + if ($node->check_access()) { foreach ($node->settings as $setting) { $fullname = $setting->get_full_name(); if (array_key_exists($fullname, $data)) { $return[$fullname] = $setting; } } - } + } + return $return; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- moodle.org/mod/forum/discuss.phpnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-jjhx-5jff-rc8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7532ghsaADVISORY
- github.com/moodle/moodle/commit/6e861be6b7d49c5ac4583ae46762a28ede5785adghsaWEB
- github.com/moodle/moodle/commit/915f801546a5c3618feab897072c985abfce57dfghsaWEB
- web.archive.org/web/20210614032706/http://www.securityfocus.com/bid/99617ghsaWEB
- www.securityfocus.com/bid/99617nvd
News mentions
0No linked articles in our index yet.