Misconfiguration of Badge Criteria Allows Unauthorized Profile Field Access

Misconfiguration of Badge Criteria Allows Unauthorized Profile Field Access

CVE-2022-0984 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Learn more about our Web Application Penetration Testing UK.