CVE-2022-40316 is a medium-severity vulnerability affecting multiple versions of Moodle, specifically versions 3.9 up to 3.9.16, 3.11 up to 3.11.9, and 4.0 up to 4.0.3, as well as earlier unsupported versions. The vulnerability arises from the H5P activity attempts report feature, which fails to properly filter data by user groups when Moodle is configured in separate groups mode. This misconfiguration allows non-editing teachers to access information about attempts and users belonging to groups they should not have visibility into. Although the CVE description mentions SQL injection, the core issue is an authorization bypass (CWE-862) where group-based access controls are not enforced correctly, potentially exposing sensitive user data. The CVSS 3.1 score is 4.3 (medium), reflecting that the vulnerability requires network access and low privileges (PR:L), does not require user interaction, and impacts confidentiality only (C:L), without affecting integrity or availability. There are no known exploits in the wild, and no official patches linked in the provided data, but Moodle administrators should be aware of this issue due to the sensitive nature of educational data and user privacy concerns. The vulnerability primarily impacts confidentiality by allowing unauthorized disclosure of information about student attempts and user identities across group boundaries within Moodle courses.

For European organizations, especially educational institutions and e-learning providers using Moodle, this vulnerability poses a risk to the confidentiality of student and teacher data. Unauthorized disclosure of group-specific attempts and user information could lead to privacy violations under GDPR, potentially resulting in regulatory penalties and reputational damage. The exposure of such data might also undermine trust in the institution's ability to safeguard sensitive educational records. Since Moodle is widely adopted across European universities, schools, and training centers, the impact could be significant if exploited. However, the vulnerability does not allow modification or deletion of data, nor does it affect system availability, limiting the scope of damage to information disclosure. The requirement for at least teacher-level privileges to exploit the vulnerability means that external attackers without credentials are less likely to succeed, but insider threats or compromised teacher accounts could leverage this flaw to access unauthorized data.

Administrators should immediately verify their Moodle version and plan to upgrade to versions beyond 4.0.3, 3.11.9, or 3.9.16 once official patches are released. In the interim, organizations should audit and restrict teacher permissions to the minimum necessary, ensuring that only authorized personnel have editing or viewing rights in courses configured with separate groups. Implementing strict role-based access controls and monitoring teacher account activities can reduce the risk of exploitation. Additionally, reviewing group configurations and testing the H5P activity attempts report for unauthorized data exposure can help identify and mitigate risks. Applying network segmentation and multi-factor authentication for teacher accounts will further reduce the likelihood of credential compromise. Finally, organizations should stay informed through Moodle security advisories and apply patches promptly when available.