CVE-2019-10189
Description
Teachers in Moodle assignment groups could improperly modify group overrides for unauthorized groups before versions 3.7.1, 3.6.5, 3.5.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Teachers in Moodle assignment groups could improperly modify group overrides for unauthorized groups before versions 3.7.1, 3.6.5, 3.5.7.
Description
CVE-2019-10189 is a flaw in Moodle's assignment module where teachers assigned to a specific group could modify group overrides belonging to other groups within the same assignment. The root cause is an insufficient permission check in the assignment override logic, which did not verify that the teacher was a member of the group they were modifying [1].
Exploitation
To exploit this vulnerability, an attacker must have a teacher role in a Moodle course with group override capabilities. The assignment must be set to use group overrides. The teacher can then submit a request to modify overrides for any group in that assignment, bypassing the intended group separation [3].
Impact
A malicious teacher could alter due dates, time limits, or other assignment settings for groups they are not a part of, potentially disrupting course activities or giving unfair advantages to certain students. This violates the principle of least privilege and the expected group isolation in collaborative learning environments.
Mitigation
Moodle has addressed this issue in versions 3.7.1, 3.6.5, and 3.5.7. Administrators should upgrade to these patched versions or later. There are no known workarounds, so immediate patching is recommended [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.7.0, < 3.7.1 | 3.7.1 |
moodle/moodlePackagist | >= 3.6.0, < 3.6.5 | 3.6.5 |
moodle/moodlePackagist | < 3.5.7 | 3.5.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-h7xp-7fjp-ghhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10189ghsaADVISORY
- www.securityfocus.com/bid/109271ghsavdb-entryx_refsource_BIDWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.