PatchSiren cyber security CVE debrief
CVE-2016-5012 Moodle CVE debrief
CVE-2016-5012 is a medium-severity information-disclosure issue in Moodle’s glossary search. According to the CVE description, glossary search could display entries without first checking whether the user had permission to view them. That means content meant to remain restricted could become visible to unauthorized users through search results. NVD lists affected Moodle 3.1.0 builds, including beta, RC1, RC2, and 3.1.0, and the CVSS vector reflects a network-reachable, no-authentication disclosure impact.
- Vendor
- Moodle
- Product
- CVE-2016-5012
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-20
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-20
- Advisory updated
- 2026-05-13
Who should care
Moodle administrators, LMS operators, and security teams responsible for student, staff, or institutional data stored in Moodle should review this issue. It is especially relevant where glossary entries may contain internal, class-specific, or otherwise restricted content.
Technical summary
The flaw is an access-control failure in glossary search: results were shown without verifying whether the requesting user was allowed to view the underlying entries. The issue maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). NVD rates it CVSS 3.0 5.3 with AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, which is consistent with unauthorized read-only exposure over the network. The NVD record lists Moodle 3.1.0, 3.1.0 beta, 3.1.0 rc1, and 3.1.0 rc2 as vulnerable CPEs.
Defensive priority
Medium. The issue does not indicate integrity or availability impact, but it can expose restricted information to unauthorized users. Prioritize if the affected Moodle instance stores sensitive academic, operational, or personal content in glossary entries.
Recommended defensive actions
- Confirm whether any deployed Moodle instance matches the affected 3.1.0 builds listed by NVD.
- Apply the vendor-provided fix or upgrade to a Moodle release that includes the correction.
- Review glossary content for entries that should not be broadly visible and reduce sensitive data exposure where practical.
- After remediation, verify that search results only return entries the current user is authorized to view.
- Check access-control coverage in other user-facing search and listing features to make sure permission checks are applied consistently.
Evidence notes
This debrief is based only on the supplied CVE record and linked official/vendor references. The CVE description states that glossary search displayed entries without checking user permissions. The NVD metadata provides the CVSS vector, CWE-200 mapping, and vulnerable CPE entries for Moodle 3.1.0 beta, rc1, rc2, and 3.1.0. Timing context uses the CVE publishedAt date of 2017-01-20; the later modifiedAt date is not treated as the issue date.
Official resources
-
CVE-2016-5012 CVE record
CVE.org
-
CVE-2016-5012 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Publicly disclosed on 2017-01-20 in the CVE/NVD record, with vendor advisory and patch discussion links referenced in the record.