CVE-2019-10188
Description
Moodle before 3.7.1, 3.6.5, 3.5.7 allowed teachers in a quiz group to modify group overrides for other groups in the same quiz, bypassing intended access controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle before 3.7.1, 3.6.5, 3.5.7 allowed teachers in a quiz group to modify group overrides for other groups in the same quiz, bypassing intended access controls.
Vulnerability
Overview
A flaw in Moodle's quiz activity allowed teachers assigned to a specific group to modify group overrides for other groups within the same quiz [1]. This occurred because the permission checks did not properly enforce group membership or the accessallgroups capability, enabling a teacher to alter time limits, attempt limits, or other quiz settings for groups they did not belong to [3].
Exploitation
Conditions
To exploit this vulnerability, an attacker must have a teacher role in a course that uses group overrides for quizzes. The teacher must be assigned to at least one group in the quiz, but the flaw allows them to modify overrides for any other group in the same quiz. No special network position or additional authentication is required beyond the teacher's existing credentials [1][3].
Impact
A malicious teacher could change quiz overrides for other groups, potentially extending time limits, increasing attempt numbers, or altering grading settings for students in those groups. This could give an unfair advantage or disrupt the intended quiz conditions for other students, undermining the integrity of the assessment [1].
Mitigation
The vulnerability is fixed in Moodle versions 3.7.1, 3.6.5, and 3.5.7. Administrators should upgrade to these or later versions. No workaround is documented, and the issue is not known to be exploited in the wild [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 3.5.7 | 3.5.7 |
moodle/moodlePackagist | >= 3.6.0, < 3.6.5 | 3.6.5 |
moodle/moodlePackagist | >= 3.7.0, < 3.7.1 | 3.7.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-92q5-2h76-vgmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10188ghsaADVISORY
- www.securityfocus.com/bid/109178ghsavdb-entryx_refsource_BIDWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.