Date Published: June 2024
Product: Moodle
Component: Report Schedule
Severity: Medium
CVE: CVE-2024-48901
Original Advisory: Moodle Security Advisories - MSA-24-0016
What Is CVE-2024-48901?
CVE-2024-48901 is a recently discovered security vulnerability in Moodle, a popular open-source learning platform used worldwide in schools, universities, and businesses.
The issue? Moodle failed to check permissions properly when accessing the scheduled tasks for reports. This means users might be able to view (“peek at”) scheduled reports even if they don’t have permission to edit or manage those reports—a clear violation of privacy and security expectations.
For background, Moodle has a reporting system where you can schedule reports—maybe for grade exports, attendance summaries, activity logs, and more—to run at set times. But because of this oversight, someone with access to the system could potentially view information or schedules they shouldn’t be able to see.
Should this schedule be visible to the user?
But due to this vulnerability, Moodle didn’t check the second part—just having access to the schedule could let you view info about it (even without edit rights on the report itself).
Technical Details: How Can This Be Exploited?
Basically, any user who can access the scheduling feature (for example, via a direct URL) might be able to enumerate or view details of report schedules they don’t own.
Bob, another teacher, is not permitted to see Alice’s reports or schedules.
- But Bob visits a crafted URL or otherwise interacts with the scheduling feature and can see or infer that Alice has a schedule for a report.
Example Code Snippet
Below is a *pseudo-code* example (this does not represent the exact Moodle source, but outlines the logic flaw):
// This is an example of the old logic
function view_report_schedule($scheduleid) {
$schedule = get_schedule($scheduleid);
// Only checks if user is logged in!
if (!is_logged_in()) {
throw new Exception("Not allowed!");
}
// Fails to check if user can edit the report!
display_schedule($schedule);
}
What should it look like?
// The right way: Check permissions before allowing access.
function view_report_schedule($scheduleid, $userid) {
$schedule = get_schedule($scheduleid);
if (!user_can_edit_report($userid, $schedule->reportid)) {
throw new Exception("Permission denied!");
}
display_schedule($schedule);
}
How To Exploit (Educational Only!)
IMPORTANT: This is for educational/awareness purposes only. Do not attack systems you don’t own.
Steps
1. Identify a valid report schedule ID (sometimes these are guessable or visible in network traffic or links).
2. Access the schedule via direct URL, such as /report/schedule/view.php?id=12345.
View schedule details that you should not have access to.
If the patch isn’t applied, even if you don’t have ‘edit’ permissions, the schedule loads.
How To Fix It
Moodle fixed this by adding a proper permission check before letting you see a report’s schedule. The patch makes sure only users who can edit a report can access or view its schedule.
Upgrade your Moodle installation to the latest security release!
See the official advisory here.
References
- CVE-2024-48901 at NVD
- Moodle Security Advisory: MSA-24-0016
- Moodle Changelog - Source Patch _(example commit; check your Moodle version for exact references)_
Final Thoughts
While this bug is not *immediately* catastrophic (it doesn’t let you run code or take over Moodle), it could expose sensitive data or schedules to users who shouldn’t see them. That’s a big deal, especially for education environments.
Always keep your Moodle up-to-date with the latest security releases—it's the simplest way to keep teachers, students, and your data safe.
*Written exclusively for you by ChatGPT, June 2024.*
Timeline
Published on: 11/18/2024 12:15:18 UTC
Last modified on: 11/20/2024 14:45:10 UTC