Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0696
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Moodle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Moodle versions ant\u00e9rieures \u00e0 4.1.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.3.x ant\u00e9rieures \u00e0 4.3.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.4.x ant\u00e9rieures \u00e0 4.4.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.2.x ant\u00e9rieures \u00e0 4.2.9 ",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-43427",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43427"
},
{
"name": "CVE-2024-43434",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43434"
},
{
"name": "CVE-2024-43425",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43425"
},
{
"name": "CVE-2024-43436",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43436"
},
{
"name": "CVE-2024-43435",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43435"
},
{
"name": "CVE-2024-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43437"
},
{
"name": "CVE-2024-43429",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43429"
},
{
"name": "CVE-2024-43428",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43428"
},
{
"name": "CVE-2024-43438",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43438"
},
{
"name": "CVE-2024-43439",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43439"
},
{
"name": "CVE-2024-43432",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43432"
},
{
"name": "CVE-2024-43431",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43431"
},
{
"name": "CVE-2024-43430",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43430"
},
{
"name": "CVE-2024-43426",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43426"
},
{
"name": "CVE-2024-43440",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43440"
},
{
"name": "CVE-2024-43433",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43433"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0696",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-08-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
"vendor_advisories": [
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0034",
"url": "https://moodle.org/mod/forum/discuss.php?d=461202"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0041",
"url": "https://moodle.org/mod/forum/discuss.php?d=461210"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0035",
"url": "https://moodle.org/mod/forum/discuss.php?d=461203"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0029",
"url": "https://moodle.org/mod/forum/discuss.php?d=461196"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0038",
"url": "https://moodle.org/mod/forum/discuss.php?d=461207"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0040",
"url": "https://moodle.org/mod/forum/discuss.php?d=461209"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0039",
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0032",
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0028",
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0033",
"url": "https://moodle.org/mod/forum/discuss.php?d=461200"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0037",
"url": "https://moodle.org/mod/forum/discuss.php?d=461206"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0030",
"url": "https://moodle.org/mod/forum/discuss.php?d=461197"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0026",
"url": "https://moodle.org/mod/forum/discuss.php?d=461193"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0031",
"url": "https://moodle.org/mod/forum/discuss.php?d=461198"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0027",
"url": "https://moodle.org/mod/forum/discuss.php?d=461194"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0036",
"url": "https://moodle.org/mod/forum/discuss.php?d=461205"
}
]
}
CVE-2024-43438 (GCVE-0-2024-43438)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:31 – Updated: 2024-11-07 16:48
VLAI?
EPSS
Title
Moodle: idor in feedback non-respondents report allows messaging arbitrary site users
Summary
A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.
Severity ?
7.5 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:31.902345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:48:06.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Feedback. Bulk messaging in the activity\u0027s non-respondents report did not verify message recipients belonging to the set of users returned by the report."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:31:20.238Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304267",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304267"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: idor in feedback non-respondents report allows messaging arbitrary site users",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43438",
"datePublished": "2024-11-07T13:31:20.238Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2024-11-07T16:48:06.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43431 (GCVE-0-2024-43431)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:27 – Updated: 2024-11-07 15:55
VLAI?
EPSS
Title
Moodle: idor in badges allows deletion of arbitrary badges
Summary
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:53.002108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:55:57.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:27:07.968Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304259",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304259"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: idor in badges allows deletion of arbitrary badges",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43431",
"datePublished": "2024-11-07T13:27:07.968Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:55:57.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43429 (GCVE-0-2024-43429)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:15 – Updated: 2024-11-12 15:16
VLAI?
EPSS
Title
Moodle: user information visibility control issues in gradebook reports
Summary
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.
Severity ?
5.3 (Medium)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:15:16.555262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:16:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the \"view hidden user fields\" capability having access to the information."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:15:00.784Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304257",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304257"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461197"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: user information visibility control issues in gradebook reports"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43429",
"datePublished": "2024-11-11T12:15:00.784Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:16:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43428 (GCVE-0-2024-43428)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:24 – Updated: 2025-02-10 22:26
VLAI?
EPSS
Title
Moodle: cache poisoning via injection into storage
Summary
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
Severity ?
7.7 (High)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:01.971776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:26:35.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "To address a cache poisoning risk in Moodle, additional validation for local storage was required."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:24:11.512Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304256",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304256"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461196"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: cache poisoning via injection into storage",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43428",
"datePublished": "2024-11-07T13:24:11.512Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2025-02-10T22:26:35.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43430 (GCVE-0-2024-43430)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:15 – Updated: 2024-11-12 15:01
VLAI?
EPSS
Title
Moodle: lack of access control when using external methods for quiz overrides
Summary
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
Severity ?
5.3 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:57:03.948766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:22.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. External API access to Quiz can override contained insufficient access control."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:15:36.451Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304258",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304258"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461198"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: lack of access control when using external methods for quiz overrides"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43430",
"datePublished": "2024-11-11T12:15:36.451Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:01:22.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43440 (GCVE-0-2024-43440)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:32 – Updated: 2024-11-07 14:38
VLAI?
EPSS
Title
Moodle: lfi vulnerability when restoring malformed block backups
Summary
A flaw was found in moodle. A local file may include risks when restoring block backups.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Red Hat would like to thank Paul Holden for reporting this issue.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:23:21.250549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:38:59.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Paul Holden for reporting this issue."
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. A local file may include risks when restoring block backups."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:32:16.113Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304269",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304269"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461210"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: lfi vulnerability when restoring malformed block backups"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43440",
"datePublished": "2024-11-07T13:32:16.113Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2024-11-07T14:38:59.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43435 (GCVE-0-2024-43435)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:17 – Updated: 2024-11-12 15:01
VLAI?
EPSS
Title
Moodle: can create global glossary without being admin
Summary
A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.
Severity ?
5.3 (Medium)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:57:03.261082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:08.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:17:26.812Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304263",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304263"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461205"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: can create global glossary without being admin"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43435",
"datePublished": "2024-11-11T12:17:26.812Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:01:08.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43433 (GCVE-0-2024-43433)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:16 – Updated: 2024-11-12 15:06
VLAI?
EPSS
Title
Moodle: matrix user/power level management not always working as expected with suspended users
Summary
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:02:57.899042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:06:09.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:16:46.270Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304261",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304261"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461202"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: matrix user/power level management not always working as expected with suspended users"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43433",
"datePublished": "2024-11-11T12:16:46.270Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:06:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43434 (GCVE-0-2024-43434)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:28 – Updated: 2024-11-07 15:56
VLAI?
EPSS
Title
Moodle: csrf risk in feedback non-respondents report
Summary
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
Severity ?
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:44.970094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:56:27.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "The bulk message sending feature in Moodle\u0027s Feedback module\u0027s non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:28:27.671Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304262",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304262"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461203"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: csrf risk in feedback non-respondents report",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43434",
"datePublished": "2024-11-07T13:28:27.671Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:56:27.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43437 (GCVE-0-2024-43437)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:19 – Updated: 2025-03-13 14:04
VLAI?
EPSS
Title
Moodle: xss risk when restoring malicious course backup file
Summary
A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-11T14:28:15.911800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:04:35.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:19:25.715Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304266",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304266"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461207"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: xss risk when restoring malicious course backup file"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43437",
"datePublished": "2024-11-11T12:19:25.715Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2025-03-13T14:04:35.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43439 (GCVE-0-2024-43439)
Vulnerability from cvelistv5 – Published: 2024-11-11 16:00 – Updated: 2024-11-12 14:55
VLAI?
EPSS
Title
Moodle: reflected xss via h5p error message
Summary
A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:50:51.322123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:55:08.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T16:00:39.212Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304268",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304268"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461209"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: reflected xss via h5p error message"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43439",
"datePublished": "2024-11-11T16:00:39.212Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2024-11-12T14:55:08.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43432 (GCVE-0-2024-43432)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:16 – Updated: 2024-11-12 15:14
VLAI?
EPSS
Title
Moodle: authorization headers preserved between "emulated redirects"
Summary
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
Severity ?
5.3 (Medium)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:06:57.126320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:14:27.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:16:04.901Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304260",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304260"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461200"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: authorization headers preserved between \"emulated redirects\""
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43432",
"datePublished": "2024-11-11T12:16:04.901Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:14:27.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43427 (GCVE-0-2024-43427)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:14 – Updated: 2024-11-12 15:03
VLAI?
EPSS
Title
Moodle: admin presets export tool includes some secrets that should not be exported
Summary
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
Severity ?
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:02:44.827202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:03:14.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:14:22.984Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304255",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304255"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: admin presets export tool includes some secrets that should not be exported"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43427",
"datePublished": "2024-11-11T12:14:22.984Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2024-11-12T15:03:14.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43436 (GCVE-0-2024-43436)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:29 – Updated: 2024-11-07 15:57
VLAI?
EPSS
Title
Moodle: site administration sql injection via xmldb editor
Summary
A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:37.036006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:57:00.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:29:57.912Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304264",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304264"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461206"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: site administration sql injection via xmldb editor",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43436",
"datePublished": "2024-11-07T13:29:57.912Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:57:00.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43426 (GCVE-0-2024-43426)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:22 – Updated: 2025-02-10 22:27
VLAI?
EPSS
Title
Moodle: arbitrary file read risk through pdftex
Summary
A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed.
Severity ?
7.5 (High)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:10.596625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:27:06.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:22:42.839Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304254",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304254"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461194"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: arbitrary file read risk through pdftex"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43426",
"datePublished": "2024-11-07T13:22:42.839Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2025-02-10T22:27:06.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43425 (GCVE-0-2024-43425)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:21 – Updated: 2024-11-07 14:45
VLAI?
EPSS
Title
Moodle: remote code execution via calculated question types
Summary
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
Severity ?
8.1 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:20.305328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:45:17.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:21:59.014Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304253",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304253"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461193"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: remote code execution via calculated question types"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43425",
"datePublished": "2024-11-07T13:21:59.014Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2024-11-07T14:45:17.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…