CVE-2022-30597
CVE-2022-30597
In short
Moodle failed to hide the user description field even when it was configured as hidden. This means sensitive information in user descriptions could be visible to unauthorized people.
Technical detail
The vulnerability exists in Moodle's user field visibility control mechanism (CWE-472: Type Confusion). When the description field is marked as hidden in the system configuration, the access control is not properly enforced, allowing unauthorized disclosure of user description data. This affects confidentiality of user information despite administrative restrictions.
Summary generated and translated by AI from the official description.
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.
Affected products
n/a · moodleWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74318https://bugzilla.redhat.com/show_bug.cgi?id=2083585https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OGF35EN5K2R6X3NTY3XPZSJ3UDASMXI6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PIMSIRKCFLIC646K4GMUSZU7THOUVPAJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QCTWSE3JDMSYL7DPCMXMMJEXZSS6VIA5/https://moodle.org/mod/forum/discuss.php?d=434579