CVE-2018-10890 : What You Need to Know

A vulnerability in Moodle versions 3.5.1, 3.4.4, 3.3.7, and 3.1.13 could allow hidden categories to be included in the core_course_get_categories web service output.

Understanding CVE-2018-10890

This CVE identifies a flaw in Moodle that could potentially expose hidden categories when retrieving course categories.

What is CVE-2018-10890?

The vulnerability in Moodle versions 3.5.1, 3.4.4, 3.3.7, and 3.1.13 allows the core_course_get_categories web service to return hidden categories that should be excluded.

The Impact of CVE-2018-10890

CVSS Base Score: 4.3 (Medium Severity)
Attack Vector: Network
Confidentiality Impact: Low
Integrity Impact: None
This vulnerability could lead to unauthorized access to hidden categories within Moodle.

Technical Details of CVE-2018-10890

The technical aspects of the vulnerability in Moodle.

Vulnerability Description

The core_course_get_categories web service in affected Moodle versions may expose hidden categories, compromising data confidentiality.

Affected Systems and Versions

Moodle 3.5.1
Moodle 3.4.4
Moodle 3.3.7
Moodle 3.1.13

Exploitation Mechanism

Attackers can exploit this vulnerability by leveraging the exposed hidden categories to gain unauthorized access to sensitive information.

Mitigation and Prevention

Protecting systems from CVE-2018-10890.

Immediate Steps to Take

Update Moodle to a patched version that addresses the vulnerability.
Monitor and restrict access to sensitive course categories.

Long-Term Security Practices

Regularly review and update Moodle installations to ensure the latest security patches are applied.
Educate users on data security best practices to prevent unauthorized access.

Patching and Updates

Apply the official patches provided by Moodle to fix the vulnerability and prevent potential exploitation.