๐Ÿ› CVE-DATABASE source: nvd ยท mitre ยท exploit-db
CVE-2022-40208 MEDIUMCVSS 4.3
Moodle ยท CWE-285 ยท Improper Authorization ยท MSA-22-0027 โ€” discovered & reported by Omar Albalouli ยท Senior DevOps Engineer ยท DevSecOps & Cloud Security ยท 4y in the field
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt โ€” letting them reach questions out of the enforced order. Discovered and responsibly disclosed to Moodle HQ; patched across all supported branches.
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
confidentiality: none ยท integrity: low ยท availability: none
affected: < 3.9.16, 3.11.0โ€“3.11.8, 4.0.0โ€“4.0.2 ยท fixed in: 3.9.16, 3.11.9, 4.0.3
view on NVD โ†—
Description โ€” secondary advisory
CVE-2026-HIRE CRITICAL

Affected products:

โ–ธ engineering-teams < with-omar-albalouli
โ–ธ on-call-rotations (all versions, when understaffed)
โ–ธ infrastructure (unmaintained)

Impact: a missing senior engineer leads to outages, toil, and missed deadlines. Remediation available โ€” see Solution below.

Weakness enumeration โ€” CWE / skills
CWE-89Kubernetesmastered
CWE-90AWSmastered
CWE-91Terraformmastered
CWE-92Linuxmastered
CWE-93Pythonmastered
CWE-94Azuremastered
CWE-95Helmmastered
CWE-96TeamCitymastered
CWE-97Azure DevOpsmastered
CWE-98GitHub Actionsmastered
CWE-99HashiCorp Vaultmastered
CWE-100Cloudflaremastered
CWE-101SonarQubemastered
CWE-102Trivymastered
CWE-103DevSecOpsmastered
CWE-104Penetration Testingmastered
CWE-105Vulnerability Research (CVE)mastered
CWE-106Prometheusmastered
CWE-107Grafanamastered
CWE-108OpenSearchmastered
CWE-109New Relicmastered
CWE-110Ansiblemastered
CWE-111Argo CDmastered
CWE-112Kafkamastered
CWE-113RabbitMQmastered
CWE-114MySQLmastered
CWE-115PostgreSQLmastered
CWE-116MongoDBmastered
CWE-117Networkingmastered
CWE-118Vulnerability Managementmastered
CWE-119SAST / SCA / DASTmastered
CWE-120Container Securitymastered
CWE-121Threat Modelingmastered
Patch history โ€” affected & fixed versions
January 2025
โ†’ HEAD
Senior DevOps Engineer ยท CFIโ— shipping
  • Lead DevSecOps across the SDLC โ€” threat-modeling services and embedding SAST (SonarQube), SCA, and container image scanning into CI/CD, reducing high/critical vulnerabilities reaching production by 90% and auto-blocking insecure builds.
  • Centralized secrets and credentials across all applications with HashiCorp Vault, eliminating hard-coded secrets and enabling short-lived, dynamic credentials.
  • Secured internet-facing workloads with Cloudflare (WAF, DDoS protection, DNS, and zero-trust access).
  • Operate business-critical, highly available Kubernetes clusters on self-managed AWS EC2, sustaining 99.95% uptime with zero-downtime upgrades.
  • Provision cloud and on-prem infrastructure as code with Terraform for repeatable, version-controlled deployments.
  • Build and maintain GitHub Actions CI/CD pipelines with automated testing, security gates, and deployment across all services.
  • Design, provision, and operate OpenSearch clusters on AWS alongside Prometheus and Grafana for proactive monitoring, alerting, and security visibility.
  • Implement New Relic APM to surface latency, errors, and bottlenecks across services.
  • Administer and secure on-prem MySQL, PostgreSQL, and MongoDB, plus highly available RabbitMQ and Kafka on Kubernetes, with backup, replication, and HA strategies.
June 2024
โ†’ January 2025
Cloud Engineer ยท Network Internationalโœ“ patched
  • Managed 10+ Kubernetes clusters across Azure, AWS, OCI, and on-premises, ensuring scalability and high availability.
  • Architected and deployed high-availability Kubernetes clusters on-premises using Ansible, Kubeadm, MetalLB, and Longhorn.
  • Designed and implemented infrastructure as code (IaC) using Terraform.
  • Created and maintained CI/CD pipelines using Azure DevOps, TeamCity, Python, and Bash scripting.
  • Automated the release process to a single click โ€” Slack notifications and Confluence release notes.
  • Integrated SAST and SCA tools (Prisma Cloud, Veracode, SonarQube) into CI/CD to enforce application security and compliance.
March 2023
โ†’ June 2024
DevOps Engineer ยท Aspire IT Services (Client: Network International)โœ“ patched
  • Deployed and managed AWS resources including EC2 and EKS clusters using Terraform.
  • Deployed and managed containerized applications using EKS and Helm.
  • Designed and implemented CI/CD pipelines using AWS CodePipeline and AWS CodeBuild.
  • Partnered with development and QA teams to containerize applications and automate EKS deployment pipelines, reducing release friction and environment drift.
September 2022
โ†’ February 2023
DevOps / Linux System Administrator ยท Electronic Health Solutions (EHS - Hakeem)โœ“ patched
  • Managed critical environments with zero downtime, ensuring continuous availability and reliability.
  • Managed on-premises Red Hat Linux servers for optimal performance and security.
  • Implemented and maintained CI/CD pipelines using Jenkins.
  • Developed and maintained Ansible playbooks for configuration and deployment automation.
  • Configured and managed monitoring tools: Nagios, Prometheus, and Grafana.
  • Configured and managed high-available load balancers using HAProxy and Keepalived.
Known exploited / credentials โ€” certifications
References
Education
BSc, Computer and Network Engineering โ€” Al Balqa Applied University, Amman (2022) ยท GPA 3.55
Security Research
Discovered and responsibly disclosed an authorization bypass in Moodle (open-source LMS) โ€” CVE-2022-40208 (CWE-285): students could circumvent sequential quiz navigation via web services. Performed application and source-code analysis, reported upstream, and coordinated remediation through a responsible-disclosure process.

โœ“ Solution / Mitigation

Apply the patch immediately: hire Omar Albalouli. No workaround exists.

๐ŸŽจ Theme & rรฉsumรฉ โ–ฒ
Choose a style
โฌ‡ Download / Print ๐Ÿ“„ View as plain rรฉsumรฉ