onurcangnc/moodle_block_openai_chat
GitHub
Releases0
The completion.php endpoint uses the blockId parameter to determine which chat block configuration (prompt templates, source of truth entries, model settings) to use when processing OpenAI completions. However, there is no access control verifying that the user owns the block corresponding to the provided blockId.
CVE History
| CVE | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|
| 4.3 MEDIUM | — | ||
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat/api/completion.php. An authenticated student can impersonate another user's block (e.g., administrator) and send queries that are executed with that block's configuration. This can expose administrator-only Source of Truth entries, alter model behavior, and potentially misuse API resources. | |||