PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8644 Moodle CVE debrief

CVE-2016-8644 describes an access-control mistake in Moodle where the capability to view course notes is checked in the wrong context. In practical terms, that can let a user see course notes when the permission decision is made against the wrong scope. NVD rates the issue Medium with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating a network-reachable confidentiality impact without integrity or availability impact. The NVD record lists affected Moodle releases across the 2.x and 3.x lines, and the vendor advisory reference points to Moodle's patch notice.

Vendor
Moodle
Product
CVE-2016-8644
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-20
Original CVE updated
2026-05-13
Advisory published
2017-01-20
Advisory updated
2026-05-13

Who should care

Moodle site administrators, education IT teams, and anyone operating affected Moodle 2.x or 3.x deployments should care. Course managers and support staff should also review note visibility controls, especially in environments that rely on role-based access and custom permissions.

Technical summary

The vulnerability is an authorization-context error: Moodle checks the capability to view course notes in the wrong context. Because access decisions are tied to the incorrect scope, a requester may be granted note visibility that should not apply in the intended course context. The publicly supplied NVD record associates this with multiple Moodle versions in the 2.x and 3.x families and classifies the weakness under CWE-264 (permissions, privileges, and access controls).

Defensive priority

Medium. The issue is network-reachable and can expose information, but the supplied CVSS impact is limited to confidentiality with no integrity or availability effect.

Recommended defensive actions

  • Upgrade Moodle to a vendor-patched release or the latest supported version referenced by the Moodle advisory.
  • Review course note visibility and role assignments in affected Moodle instances to confirm permissions are enforced in the intended course context.
  • Audit any custom plugins, local patches, or role overrides that interact with course notes or related capability checks.
  • Check the vendor advisory and NVD entry for the exact affected-version scope before planning remediation.
  • If immediate upgrading is not possible, restrict access to course notes as a compensating control and monitor for unexpected note visibility.

Evidence notes

The supplied NVD record states: "In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context." NVD assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N and CWE-264. The record also includes a Moodle vendor advisory reference and a third-party advisory reference, supporting that this was publicly disclosed and patched by the vendor.

Official resources

Publicly disclosed in the supplied NVD record on 2017-01-20, with a Moodle vendor advisory reference linked from the same record. The CVE record was later modified on 2026-05-13, but that is not the issue date.