Listen to this Post
The vulnerability exists within the assignment submission functionality designed for anonymous grading. When a student submits work to an assignment configured for anonymous marking, the Moodle application incorrectly embeds the user’s internal database identifier (ID) into the subsequent confirmation or view page URL as a request parameter. This identifier is a persistent, unique key linked directly to the user account within the Moodle database. While the interface may obfuscate the user’s name, the exposure of this ID in the URL string constitutes a breach of the intended anonymity. The tainted URL may be recorded in web server logs, browser history, or transmitted to third-party analytics via the HTTP Referer header. An attacker with access to these logs or the ability to view the victim’s browser history could collect these exposed IDs. By correlating the captured internal user IDs with other data or system interactions, an attacker can potentially deanonymize students, linking specific assignment submissions to individual user accounts, thereby compromising the privacy and integrity of the anonymous grading process.
Platform: Moodle
Version: Multiple affected
Vulnerability: Information disclosure
Severity: Moderate
date: 2026-02-03
Prediction: Patched 2026-02-03
What Undercode Say:
curl -s https://moodle.org/ | grep "Version"
find /path/to/moodle -type f -name ".php" -exec grep -l "anonymous.assignment" {} \;
cat /var/log/apache2/access.log | grep "assign/view.php"
How Exploit:
1. Attacker harvests URLs from logs.
2. Extracts exposed user_id parameters.
3. Correlates IDs with other user data.
4. Links submissions to identities.
Protection from this CVE
Upgrade to patched versions.
Audit server access logs.
Review Referer header policies.
Impact:
Breached anonymity.
Potential user deanonymization.
Information disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

