Moodle: possible to set the preferred "start page" of other users
Description
Moodle's insufficient start page preference validation allows remote attackers to set another user's start page, potentially gaining unauthorized access to restricted functionality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle's insufficient start page preference validation allows remote attackers to set another user's start page, potentially gaining unauthorized access to restricted functionality.
The vulnerability in Moodle arises from insufficient limitations on the "start page" preference. According to the official description [1], this allows a remote attacker to set that preference for another user. The Red Hat Bugzilla entry [2] clarifies that the setting was limited to pre-defined start page options, but the lack of proper authorization checks enabled cross-user modification.
Exploitation requires a remote attacker to be able to interact with the Moodle instance. An attacker can exploit this by sending a crafted request to modify the start page preference of a target user. Since the start page determines the initial page after login, setting it to a restricted page could allow the attacker to gain access to that page when the user logs in, leading to unauthorized access to otherwise restricted functionality [1].
The impact is that a remote attacker can gain unauthorized access to otherwise restricted functionality [1]. This could lead to privilege escalation or access to sensitive information depending on the start page options available. The vulnerability affects multiple Moodle versions including 4.1, 4.0 to 4.0.5, 3.11 to 3.11.11, 3.9 to 3.9.18, and earlier unsupported versions [2].
Moodle has released fixed versions: 4.1.1, 4.0.6, 3.11.12, and 3.9.19 [2]. Users are advised to upgrade to these versions or later. No workaround is mentioned in the available references.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 3.9.19 | 3.9.19 |
moodle/moodlePackagist | >= 3.10.0, < 3.11.12 | 3.11.12 |
moodle/moodlePackagist | >= 4.0.0-beta, < 4.0.6 | 4.0.6 |
moodle/moodlePackagist | >= 4.1.0-beta, < 4.1.1 | 4.1.1 |
Affected products
3- osv-coords2 versions
>= 3.9.0, < 3.9.19+ 1 more
- (no CPE)range: >= 3.9.0, < 3.9.19
- (no CPE)range: < 3.9.19
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-32jc-9p58-p82xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23923ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.