CVE-2016-8642 Moodle CVE debrief

Who should care

Moodle administrators, LMS security teams, and organizations that use Moodle for coursework, exams, or internal training should review this issue, especially where file access controls matter.

Technical summary

NVD maps this issue to CWE-284 (Improper Access Control). The vulnerability affects multiple Moodle release lines in the 2.x and 3.x series, including versions up to 2.7.16 and specific builds in 2.8.x, 2.9.x, 3.0.x, and 3.1.x as listed by NVD. The published CVSS v3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating an unauthenticated network attacker could access restricted files without affecting integrity or availability.

Defensive priority

Medium. Prioritize if your Moodle deployment includes any affected versions or if restricted course, quiz, or user-upload files would create privacy or compliance exposure.

Recommended defensive actions

• Check your Moodle instance against the affected version ranges listed in NVD for CVE-2016-8642.
• Apply the vendor-referenced Moodle patch or upgrade to a fixed release if you are on an affected build.
• Review question engine and file-serving permissions to confirm only intended users can reach protected content.
• Audit logs for unusual file access patterns around quiz/question activity.
• If immediate patching is delayed, restrict exposure of the Moodle instance and minimize access to sensitive file repositories.

Evidence notes

Source corpus shows the vulnerability description as 'In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.' NVD references a Moodle vendor advisory (https://moodle.org/mod/forum/discuss.php?d=343275) and a SecurityFocus BID entry (http://www.securityfocus.com/bid/94441). NVD also lists affected Moodle CPE ranges spanning 2.x and 3.x release lines, and identifies CWE-284 with CVSS v3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Official resources