Bug 2179426 (CVE-2023-28336, MSA-23-0011)

Summary: CVE-2023-28336 moodle: Teacher can access names of users they do not have permission to access
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kierabryantuk, prevailsfashakerfa, rajalrayas, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 4.1.2, moodle 4.0.7, moodle 3.11.13, moodle 3.9.20 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-20 21:32:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2180092, 2180093    
Bug Blocks: 2178257, 2180122    

Description Guilherme de Almeida Suckevicz 2023-03-17 18:03:16 UTC 
Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access. This flaw affects Moodle versions 4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versions.

Reference:
https://moodle.org/mod/forum/discuss.php?d=445068
Comment 1 Guilherme de Almeida Suckevicz 2023-03-20 17:29:30 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-7 [bug 2180093]
Affects: fedora-all [bug 2180092]
Comment 2 Product Security DevOps Team 2023-03-20 21:32:57 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Oblydtus 2024-07-31 12:47:13 UTC 
We have also encountered this in our work this academic year. Therefore, for now, we were forced to suspend the application as well as related services and the library. At the moment, students use https://edubirdie.com/write-my-thesis as a third-party source of information. They provide data for research in a wide range of academic topics. But this is currently used as a temporary measure. Please tell me if there is any solution to this problem?
Comment 4 Lauren Desouza 2025-04-09 11:35:40 UTC 
I've had a great experience using https://www.cvfolks.co.uk/ for professional CV writing. Their team knows how to craft resumes that stand out, making the job search process smoother and more effective. If you're looking to improve your CV, I highly recommend checking them out.
Comment 5 Keira Bryant 2025-04-09 13:34:32 UTC 
This Bugzilla report discusses a security vulnerability in Moodle (CVE-2023-28336) where teachers could access unauthorized user names. For those seeking to advance their careers in IT security,<a href="https://www.resumefolks.com/">Resume Folks</a>  can help craft a standout CV.