Moodle: idor in badges allows deletion of arbitrary badges
Description
A missing capability check in Moodle allows users to delete badges they do not have permission to access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing capability check in Moodle allows users to delete badges they do not have permission to access.
Vulnerability
Description CVE-2024-43431 is a vulnerability in Moodle that stems from insufficient capability checks. The flaw allows a user to delete badges even when they lack the necessary permissions to access those badges. This indicates a missing or improperly enforced authorization check in the badge management functionality [1][2].
Exploitation
To exploit this vulnerability, an attacker must be an authenticated user of the Moodle site. The attack does not require any special privileges beyond a standard user account. The attacker can delete badges that are not intended for their role, potentially affecting badges owned or managed by other users or system-wide badges [1][2].
Impact
Successful exploitation allows an attacker to delete badges that they should not have access to. This can disrupt the badge system, remove earned credentials from other users, and undermine the integrity of the site's recognition and achievement framework. The impact is primarily on data integrity and availability of badge records [1][2].
Mitigation
The Moodle project has addressed this vulnerability in a security release. Administrators are advised to update their Moodle installations to the latest patched version. No workaround is currently available other than applying the update [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.12 | 4.1.12 |
moodle/moodlePackagist | >= 4.2.0-beta, < 4.2.9 | 4.2.9 |
moodle/moodlePackagist | >= 4.3.0-beta, < 4.3.6 | 4.3.6 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.2 | 4.4.2 |
Affected products
3- osv-coords2 versions
< 4.1.12+ 1 more
- (no CPE)range: < 4.1.12
- (no CPE)range: < 4.1.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wwjf-gwrv-wh45ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43431ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.