CVE-2019-10187
Description
Moodle before 3.7.1, 3.6.5, and 3.5.7 allows users with glossary delete permission to delete entries from other glossaries they cannot access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle before 3.7.1, 3.6.5, and 3.5.7 allows users with glossary delete permission to delete entries from other glossaries they cannot access.
Vulnerability
Description
A flaw exists in Moodle where users who have been granted the ability to delete entries from one glossary can also delete entries from other glossaries to which they do not have direct access. This issue affects Moodle versions prior to 3.7.1, 3.6.5, and 3.5.7 [1]. The root cause is an insufficient access control check when processing delete operations on glossary entries.
Exploitation
An attacker must have a valid user account with the permission to delete entries from at least one glossary. No special network position is required beyond normal web application access. The vulnerability is triggered by crafting a request to delete a glossary entry from a different glossary, bypassing the intended authorization boundary.
Impact
A successful exploit allows the attacker to delete glossary entries from any glossary on the Moodle site, even if the attacker was not authorized to access that particular glossary. This could lead to data loss or disruption of the learning platform's content.
Mitigation
Moodle has addressed this vulnerability in versions 3.7.1, 3.6.5, and 3.5.7 [1][2]. Sites running earlier versions should upgrade to one of these fixed versions. No workaround is documented, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.7, < 3.7.1 | 3.7.1 |
moodle/moodlePackagist | >= 3.6, < 3.6.5 | 3.6.5 |
moodle/moodlePackagist | >= 3.5, < 3.5.7 | 3.5.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2mg9-hv69-897xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10187ghsaADVISORY
- www.securityfocus.com/bid/109174ghsavdb-entryx_refsource_BIDWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.