CVE-2021-32477
Description
Moodle 3.10 to 3.10.3 exposes mobile app last access time on profile pages to unauthorized users, violating intended access restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle 3.10 to 3.10.3 exposes mobile app last access time on profile pages to unauthorized users, violating intended access restrictions.
Vulnerability
In Moodle versions 3.10 through 3.10.3, the "last access time" for mobile app usage is displayed on user profile pages. This information should only be accessible to users with the relevant capability (site administrators by default), but is shown to all users viewing the profile, resulting in an information disclosure vulnerability [1].
Exploitation
An attacker with any account (or possibly even unauthenticated depending on profile visibility settings) can view any user's profile page to see the timestamp of their last mobile app access. No special privileges are required beyond being able to browse a user's profile [1].
Impact
The attacker gains knowledge of when a user last used the mobile app, which could be used to infer user activity patterns or identify periods of absence. The confidentiality of user timing data is compromised [1].
Mitigation
Moodle has patched this issue in versions after 3.10.3. Users should upgrade to the latest Moodle version. Alternatively, site administrators can disable the display of the field via a setting or restrict profile visibility. No workaround is documented in the provided references [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.10, < 3.10.4 | 3.10.4 |
Affected products
3- osv-coords2 versions
>= 3.10.0, < 3.10.4+ 1 more
- (no CPE)range: >= 3.10.0, < 3.10.4
- (no CPE)range: >= 3.10, < 3.10.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vrpr-2xxx-g444ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32477ghsaADVISORY
- moodle.org/mod/forum/discuss.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.