CVE-2022-28986
Published: 10 May 2022
Summary
CVE-2022-28986 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Lmsdoctor 2 Factor Authentication. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The LMS Doctor Simple 2 Factor Authentication Plugin for Moodle version 2021072900 contains an insecure direct object references vulnerability tracked as CVE-2022-28986. The flaw is rated 7.5 under CVSS 3.1 and is associated with CWE-639, allowing unauthorized manipulation of user records through the affected component.
Remote attackers can exploit the vulnerability without authentication or user interaction to update sensitive fields such as email addresses, passwords, and phone numbers on arbitrary accounts.
The supplied references include a public proof-of-concept repository but contain no advisory statements or patch guidance. The EPSS score shows a flat trajectory with both current and peak values at 0.0630.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33417
Vulnerability details
LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.