moodle: broken access control when setting calendar event type
Description
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 4.3.0, < 4.3.4 | 4.3.4 |
moodle/moodlePackagist | >= 4.2.0, < 4.2.7 | 4.2.7 |
moodle/moodlePackagist | < 4.1.10 | 4.1.10 |
Affected products
3- osv-coords2 versions
< 4.1.10+ 1 more
- (no CPE)range: < 4.1.10
- (no CPE)range: >= 4.3.0, < 4.3.4
Patches
Vulnerability mechanics
Root cause
"Missing server-side validation of the event type against the user's allowed event types allows privilege escalation in event creation."
Attack vector
An authenticated user who only has permission to create personal ('user') events can craft a web service request that specifies a different event type (e.g. 'course' or 'group') that they are not authorized to use. The server-side validation in `submit_create_update_form` did not check whether the submitted event type was among the types the user was allowed to use, so the request was accepted and an event was created with an audience the user should not have been able to publish to [CWE-20][patch_id=6651213].
Affected code
The vulnerability resides in `calendar/externallib.php` and `calendar/classes/local/event/forms/eventtype.php`. The `submit_create_update_form` function in `calendar/externallib.php` did not validate the event type against the user's allowed event types before processing the form, and the event type form element could be bypassed when only the 'user' type was allowed because it was a hidden field that the client could override [patch_id=6651213][patch_id=6651214].
What the fix does
Patch 6651213 adds a check in `submit_create_update_form` that retrieves the user's allowed event types via `calendar_get_allowed_event_types()` and rejects the request if the submitted event type is not in that set or if the user has no allowed types at all. Patch 6651214 hardens the form layer: when only the 'user' event type is permitted, the event type field is frozen (`hardFreeze`) and set as a constant so the client cannot override it, preventing the bypass even if the server-side check were missed [patch_id=6651213][patch_id=6651214].
Preconditions
- authThe attacker must be an authenticated Moodle user with limited event creation permissions (e.g. only allowed to create personal 'user' events).
- networkThe attacker must be able to send a crafted web service request to the calendar's submit_create_update_form endpoint.
- inputThe request must include an event type value (e.g. 'course' or 'group') that the attacker is not authorized to use.
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-4qww-rxq6-x7gfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-33996ghsaADVISORY
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.