CVE-2012-6102

medium

Published 2013-01-27 · Modified 2026-04-29

CVSS v3

—

CVSS v2

6.4

VIR risk

6.4

Description

lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://moodle.org/mod/forum/discuss.php?d=220163

Application impact

Vendor	Product	Versions
moodle	moodle	`2.3.0`
moodle	moodle	`2.3.1`
moodle	moodle	`2.3.2`
moodle	moodle	`2.3.3`
moodle	moodle	`2.4.0`

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37244
http://openwall.com/lists/oss-security/2013/01/21/1
https://moodle.org/mod/forum/discuss.php?d=220163
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37244
http://openwall.com/lists/oss-security/2013/01/21/1
https://moodle.org/mod/forum/discuss.php?d=220163

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.