Moderate severityNVD Advisory· Published Jun 18, 2024· Updated Feb 13, 2025
moodle: BigBlueButton web service leaks meeting joining information to users who should not have access
CVE-2024-38273
Description
BigBlueButtonBN activity in Moodle failed to check permissions before returning meeting join URLs, allowing unauthorized access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BigBlueButtonBN activity in Moodle failed to check permissions before returning meeting join URLs, allowing unauthorized access.
Vulnerability
The BigBlueButtonBN activity module in Moodle lacked sufficient capability checks when a user requested a meeting join URL. The external API function responsible for generating the URL did not verify that the user had the mod/bigbluebuttonbn:join capability for the course [1][2][3][4]. This oversight meant any user who could trigger the API call might retrieve a join URL, regardless of their intended permissions.
Exploitation
An attacker could exploit this by sending a request to the vulnerable API endpoint while enrolled in a course that uses BigBlueButtonBN. No special authentication is needed beyond a valid user session in the course. The commit fix [2][3][4] shows that the missing checks caused the restricted_context_exception to not be thrown, allowing the URL to be returned. A user who has been explicitly prohibited from joining meetings could still obtain the join URL.
Impact
An attacker who gains a meeting join URL via this bug can access the associated BigBlueButton session, potentially listening to or participating in meetings they should not be allowed to enter. This violates the intended access control model of the course and could lead to information disclosure or disruption of live sessions.
Mitigation
The issue is identified as CVE-2024-38273 and has been patched in the Moodle core repository [2][3][4]. Administrators should update their Moodle installation to a version that includes the fix, which adds capability checks using context_course and throws restricted_context_exception when the permission is lacking [2][3][4]. A Fedora advisory is also available [1] to guide package updates.
References
- NVD - CVE-2024-38273
- MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL. · moodle/moodle@500cec5
- MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL. · moodle/moodle@6c0645c
- MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL. · moodle/moodle@647b9dc
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.1 | 4.4.1 |
moodle/moodlePackagist | >= 4.3.0-beta, < 4.3.5 | 4.3.5 |
moodle/moodlePackagist | >= 4.2.0-beta, < 4.2.8 | 4.2.8 |
moodle/moodlePackagist | < 4.1.11 | 4.1.11 |
Affected products
3- osv-coords2 versions
>= 4.1.0, < 4.1.11+ 1 more
- (no CPE)range: >= 4.1.0, < 4.1.11
- (no CPE)range: >= 4.4.0-beta, < 4.4.1
Patches
4500cec575731MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL.
2 files changed · +30 −0
mod/bigbluebuttonbn/classes/external/get_join_url.php+6 −0 modified@@ -55,6 +55,8 @@ public static function execute_parameters(): external_function_parameters { * @param int $cmid the bigbluebuttonbn course module id * @param null|int $groupid * @return array (empty array for now) + * + * @throws restricted_context_exception */ public static function execute( int $cmid, @@ -81,7 +83,11 @@ public static function execute( } $instance->set_group_id($groupid); + // Validate that the user has access to this activity and to join the meeting. self::validate_context($instance->get_context()); + if (!$instance->can_join()) { + throw new restricted_context_exception(); + } try { $result['join_url'] = meeting::join_meeting($instance);
mod/bigbluebuttonbn/tests/external/get_join_url_test.php+24 −0 modified@@ -16,7 +16,9 @@ namespace mod_bigbluebuttonbn\external; +use context_course; use core_external\external_api; +use core_external\restricted_context_exception; use mod_bigbluebuttonbn\instance; use mod_bigbluebuttonbn\test\testcase_helper_trait; use moodle_exception; @@ -86,6 +88,28 @@ public function test_execute_without_login() { $this->get_join_url($instance->get_cm_id()); } + /** + * Test execution with a user who doesn't have the capability to join the meeting + */ + public function test_execute_without_capability(): void { + global $DB; + + $this->resetAfterTest(); + + $course = $this->getDataGenerator()->create_course(); + $record = $this->getDataGenerator()->create_module('bigbluebuttonbn', ['course' => $course->id]); + $instance = instance::get_from_instanceid($record->id); + + $user = $this->getDataGenerator()->create_and_enrol($course); + $this->setUser($user); + + $student = $DB->get_field('role', 'id', ['shortname' => 'student'], MUST_EXIST); + assign_capability('mod/bigbluebuttonbn:join', CAP_PROHIBIT, $student, context_course::instance($course->id), true); + + $this->expectException(restricted_context_exception::class); + $this->get_join_url($instance->get_cm_id()); + } + /** * Test execute API CALL with invalid login */
647b9dc06409MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL.
2 files changed · +30 −0
mod/bigbluebuttonbn/classes/external/get_join_url.php+6 −0 modified@@ -55,6 +55,8 @@ public static function execute_parameters(): external_function_parameters { * @param int $cmid the bigbluebuttonbn course module id * @param null|int $groupid * @return array (empty array for now) + * + * @throws restricted_context_exception */ public static function execute( int $cmid, @@ -81,7 +83,11 @@ public static function execute( } $instance->set_group_id($groupid); + // Validate that the user has access to this activity and to join the meeting. self::validate_context($instance->get_context()); + if (!$instance->can_join()) { + throw new restricted_context_exception(); + } try { $result['join_url'] = meeting::join_meeting($instance);
mod/bigbluebuttonbn/tests/external/get_join_url_test.php+24 −0 modified@@ -16,7 +16,9 @@ namespace mod_bigbluebuttonbn\external; +use context_course; use core_external\external_api; +use core_external\restricted_context_exception; use mod_bigbluebuttonbn\instance; use mod_bigbluebuttonbn\test\testcase_helper_trait; use moodle_exception; @@ -85,6 +87,28 @@ public function test_execute_without_login() { $this->get_join_url($instance->get_cm_id()); } + /** + * Test execution with a user who doesn't have the capability to join the meeting + */ + public function test_execute_without_capability(): void { + global $DB; + + $this->resetAfterTest(); + + $course = $this->getDataGenerator()->create_course(); + $record = $this->getDataGenerator()->create_module('bigbluebuttonbn', ['course' => $course->id]); + $instance = instance::get_from_instanceid($record->id); + + $user = $this->getDataGenerator()->create_and_enrol($course); + $this->setUser($user); + + $student = $DB->get_field('role', 'id', ['shortname' => 'student'], MUST_EXIST); + assign_capability('mod/bigbluebuttonbn:join', CAP_PROHIBIT, $student, context_course::instance($course->id), true); + + $this->expectException(restricted_context_exception::class); + $this->get_join_url($instance->get_cm_id()); + } + /** * Test execute API CALL with invalid login */
6c0645ca29b1MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL.
2 files changed · +30 −0
mod/bigbluebuttonbn/classes/external/get_join_url.php+6 −0 modified@@ -55,6 +55,8 @@ public static function execute_parameters(): external_function_parameters { * @param int $cmid the bigbluebuttonbn course module id * @param null|int $groupid * @return array (empty array for now) + * + * @throws restricted_context_exception */ public static function execute( int $cmid, @@ -81,7 +83,11 @@ public static function execute( } $instance->set_group_id($groupid); + // Validate that the user has access to this activity and to join the meeting. self::validate_context($instance->get_context()); + if (!$instance->can_join()) { + throw new restricted_context_exception(); + } try { $result['join_url'] = meeting::join_meeting($instance);
mod/bigbluebuttonbn/tests/external/get_join_url_test.php+24 −0 modified@@ -16,7 +16,9 @@ namespace mod_bigbluebuttonbn\external; +use context_course; use core_external\external_api; +use core_external\restricted_context_exception; use mod_bigbluebuttonbn\instance; use mod_bigbluebuttonbn\test\testcase_helper_trait; use moodle_exception; @@ -85,6 +87,28 @@ public function test_execute_without_login() { $this->get_join_url($instance->get_cm_id()); } + /** + * Test execution with a user who doesn't have the capability to join the meeting + */ + public function test_execute_without_capability(): void { + global $DB; + + $this->resetAfterTest(); + + $course = $this->getDataGenerator()->create_course(); + $record = $this->getDataGenerator()->create_module('bigbluebuttonbn', ['course' => $course->id]); + $instance = instance::get_from_instanceid($record->id); + + $user = $this->getDataGenerator()->create_and_enrol($course); + $this->setUser($user); + + $student = $DB->get_field('role', 'id', ['shortname' => 'student'], MUST_EXIST); + assign_capability('mod/bigbluebuttonbn:join', CAP_PROHIBIT, $student, context_course::instance($course->id), true); + + $this->expectException(restricted_context_exception::class); + $this->get_join_url($instance->get_cm_id()); + } + /** * Test execute API CALL with invalid login */
a10506b8d706MDL-81778 mod_bigbluebuttonbn: access checks when getting meeting URL.
2 files changed · +30 −0
mod/bigbluebuttonbn/classes/external/get_join_url.php+6 −0 modified@@ -59,6 +59,8 @@ public static function execute_parameters(): external_function_parameters { * @param int $cmid the bigbluebuttonbn course module id * @param null|int $groupid * @return array (empty array for now) + * + * @throws restricted_context_exception */ public static function execute( int $cmid, @@ -85,7 +87,11 @@ public static function execute( } $instance->set_group_id($groupid); + // Validate that the user has access to this activity and to join the meeting. self::validate_context($instance->get_context()); + if (!$instance->can_join()) { + throw new restricted_context_exception(); + } try { $result['join_url'] = meeting::join_meeting($instance);
mod/bigbluebuttonbn/tests/external/get_join_url_test.php+24 −0 modified@@ -16,7 +16,9 @@ namespace mod_bigbluebuttonbn\external; +use context_course; use external_api; +use restricted_context_exception; use mod_bigbluebuttonbn\instance; use mod_bigbluebuttonbn\local\config; use mod_bigbluebuttonbn\test\testcase_helper_trait; @@ -86,6 +88,28 @@ public function test_execute_without_login() { $this->get_join_url($instance->get_cm_id()); } + /** + * Test execution with a user who doesn't have the capability to join the meeting + */ + public function test_execute_without_capability(): void { + global $DB; + + $this->resetAfterTest(); + + $course = $this->getDataGenerator()->create_course(); + $record = $this->getDataGenerator()->create_module('bigbluebuttonbn', ['course' => $course->id]); + $instance = instance::get_from_instanceid($record->id); + + $user = $this->getDataGenerator()->create_and_enrol($course); + $this->setUser($user); + + $student = $DB->get_field('role', 'id', ['shortname' => 'student'], MUST_EXIST); + assign_capability('mod/bigbluebuttonbn:join', CAP_PROHIBIT, $student, context_course::instance($course->id), true); + + $this->expectException(restricted_context_exception::class); + $this->get_join_url($instance->get_cm_id()); + } + /** * Test execute API CALL with invalid login */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-x29x-qwvx-fxr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38273ghsaADVISORY
- github.com/moodle/moodle/commit/500cec575731fd8575569dcb5811535751dddae1ghsaWEB
- github.com/moodle/moodle/commit/647b9dc06409211018c9f28581504d096ce9e3a8ghsaWEB
- github.com/moodle/moodle/commit/6c0645ca29b195b5caaffc27d80f2ff715c33a48ghsaWEB
- github.com/moodle/moodle/commit/a10506b8d70609478fef156d489e0c7d727b6098ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7EghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/mitre
News mentions
0No linked articles in our index yet.