CVE-2022-0984 — Missing authorization in Moodle

Description

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

How to fix CVE-2022-0984

To remediate CVE-2022-0984, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 3.9.13 or later
—upgrade to 3.11.6 or later

Is CVE-2022-0984 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.9.0, < 3.9.13, >= 3.10.0, < 3.10.10, >= 3.11.0, < 3.11.6
>= 3.11.0, < 3.11.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-0984
PATCHgithub.com/moodle/moodle
WEBbugzilla.redhat.com/show_bug.cgi?id=2064118
WEBbugzilla.redhat.com/show_bug.cgi?id=2064125
WEB