CVE-2022-40316
Description
The H5P activity attempts report in Moodle fails to filter by groups, allowing non-editing teachers to view attempts from groups they should not access in separate groups mode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The H5P activity attempts report in Moodle fails to filter by groups, allowing non-editing teachers to view attempts from groups they should not access in separate groups mode.
Vulnerability
Description The H5P activity attempts report in Moodle does not filter data by groups when the course is in separate groups mode. This allows non-editing teachers to view attempts and user information from groups they are not supposed to access [1]. The issue affects Moodle versions 4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16, and earlier unsupported versions [2].
Exploitation
An attacker with the role of non-editing teacher can access the H5P activity attempts report and view details of attempts made by users in other groups. No special privileges beyond the non-editing teacher role are required; the vulnerability exists due to missing group filtering logic in the report generation [1].
Impact
This vulnerability leads to unauthorized disclosure of sensitive information, specifically the attempts and user data of students in groups that the teacher should not have access to. This violates the privacy and access controls intended by separate groups mode [1].
Mitigation
Moodle has fixed the issue in versions 4.0.4, 3.11.10, and 3.9.17 [2]. As a workaround, administrators can revoke the mod/h5pactivity:reviewattempts capability from non-editing teachers until the patch is applied [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 3.9, < 3.9.17 | 3.9.17 |
moodle/moodlePackagist | >= 3.11, < 3.11.10 | 3.11.10 |
moodle/moodlePackagist | >= 4.0, < 4.0.4 | 4.0.4 |
Affected products
3- H5P activity/H5P activitydescription
- osv-coords2 versions
>= 3.9.0, < 3.9.17+ 1 more
- (no CPE)range: >= 3.9.0, < 3.9.17
- (no CPE)range: >= 3.9, < 3.9.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-385f-vgq7-8hhxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40316ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- moodle.org/mod/forum/discuss.phpghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.