CVE-2021-32472
Description
Moodle CSV export flaw lets teachers with forum export capability retrieve forum data from all courses, violating access controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle CSV export flaw lets teachers with forum export capability retrieve forum data from all courses, violating access controls.
Vulnerability
In Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, and 3.8 to 3.8.8, the CSV export functionality for forums fails to properly scope the export to the user's own course. When a teacher with the capability to export a forum in CSV format initiates an export, the system may unexpectedly include forum data from all courses, not just the course where the teacher is assigned [1].
Exploitation
An authenticated user with a teacher role that has the required forum export capability in at least one course can trigger the vulnerability by performing a standard CSV export of a forum. The export operation then returns a CSV file containing forum posts from all courses, bypassing the intended course-level restriction. No additional privileges or user interaction beyond the export action are needed [1].
Impact
Successful exploitation leads to unauthorized information disclosure, specifically the contents of forum posts from courses the teacher is not assigned to. This violates course-level access controls and can expose sensitive discussions, student contributions, or institutional data to users who should not have access [1].
Mitigation
The issue is fixed in Moodle versions 3.10.4, 3.9.7, and 3.8.9, released after the vulnerability was addressed. Administrators should upgrade to these patched versions or later. No workaround is documented; the only mitigation is to apply the available security update [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.8.0, < 3.8.9 | 3.8.9 |
moodle/moodlePackagist | >= 3.9.0, < 3.9.7 | 3.9.7 |
moodle/moodlePackagist | >= 3.10.0, < 3.10.4 | 3.10.4 |
Affected products
3- osv-coords2 versions
>= 3.8.0, < 3.8.9+ 1 more
- (no CPE)range: >= 3.8.0, < 3.8.9
- (no CPE)range: >= 3.8.0, < 3.8.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-454r-jccq-96q8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32472ghsaADVISORY
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.