Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0696
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Moodle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Moodle versions ant\u00e9rieures \u00e0 4.1.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.3.x ant\u00e9rieures \u00e0 4.3.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.4.x ant\u00e9rieures \u00e0 4.4.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.2.x ant\u00e9rieures \u00e0 4.2.9 ",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-43427",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43427"
},
{
"name": "CVE-2024-43434",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43434"
},
{
"name": "CVE-2024-43425",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43425"
},
{
"name": "CVE-2024-43436",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43436"
},
{
"name": "CVE-2024-43435",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43435"
},
{
"name": "CVE-2024-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43437"
},
{
"name": "CVE-2024-43429",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43429"
},
{
"name": "CVE-2024-43428",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43428"
},
{
"name": "CVE-2024-43438",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43438"
},
{
"name": "CVE-2024-43439",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43439"
},
{
"name": "CVE-2024-43432",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43432"
},
{
"name": "CVE-2024-43431",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43431"
},
{
"name": "CVE-2024-43430",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43430"
},
{
"name": "CVE-2024-43426",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43426"
},
{
"name": "CVE-2024-43440",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43440"
},
{
"name": "CVE-2024-43433",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43433"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0696",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-08-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
"vendor_advisories": [
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0034",
"url": "https://moodle.org/mod/forum/discuss.php?d=461202"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0041",
"url": "https://moodle.org/mod/forum/discuss.php?d=461210"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0035",
"url": "https://moodle.org/mod/forum/discuss.php?d=461203"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0029",
"url": "https://moodle.org/mod/forum/discuss.php?d=461196"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0038",
"url": "https://moodle.org/mod/forum/discuss.php?d=461207"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0040",
"url": "https://moodle.org/mod/forum/discuss.php?d=461209"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0039",
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0032",
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0028",
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0033",
"url": "https://moodle.org/mod/forum/discuss.php?d=461200"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0037",
"url": "https://moodle.org/mod/forum/discuss.php?d=461206"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0030",
"url": "https://moodle.org/mod/forum/discuss.php?d=461197"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0026",
"url": "https://moodle.org/mod/forum/discuss.php?d=461193"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0031",
"url": "https://moodle.org/mod/forum/discuss.php?d=461198"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0027",
"url": "https://moodle.org/mod/forum/discuss.php?d=461194"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0036",
"url": "https://moodle.org/mod/forum/discuss.php?d=461205"
}
]
}
CVE-2024-43425 (GCVE-0-2024-43425)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:21 – Updated: 2024-11-07 14:45
VLAI
EPSS
Title
Moodle: remote code execution via calculated question types
Summary
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
Severity
8.1 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304253 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461193 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:20.305328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:45:17.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:21:59.014Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304253",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304253"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461193"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: remote code execution via calculated question types"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43425",
"datePublished": "2024-11-07T13:21:59.014Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2024-11-07T14:45:17.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43426 (GCVE-0-2024-43426)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:22 – Updated: 2025-02-10 22:27
VLAI
EPSS
Title
Moodle: arbitrary file read risk through pdftex
Summary
A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed.
Severity
7.5 (High)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304254 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461194 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:10.596625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:27:06.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:22:42.839Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304254",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304254"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461194"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: arbitrary file read risk through pdftex"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43426",
"datePublished": "2024-11-07T13:22:42.839Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2025-02-10T22:27:06.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43427 (GCVE-0-2024-43427)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:14 – Updated: 2024-11-12 15:03
VLAI
EPSS
Title
Moodle: admin presets export tool includes some secrets that should not be exported
Summary
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
Severity
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304255 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461195 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:02:44.827202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:03:14.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:14:22.984Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304255",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304255"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: admin presets export tool includes some secrets that should not be exported"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43427",
"datePublished": "2024-11-11T12:14:22.984Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2024-11-12T15:03:14.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43428 (GCVE-0-2024-43428)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:24 – Updated: 2025-02-10 22:26
VLAI
EPSS
Title
Moodle: cache poisoning via injection into storage
Summary
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
Severity
7.7 (High)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304256 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461196 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:01.971776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:26:35.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "To address a cache poisoning risk in Moodle, additional validation for local storage was required."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:24:11.512Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304256",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304256"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461196"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: cache poisoning via injection into storage",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43428",
"datePublished": "2024-11-07T13:24:11.512Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2025-02-10T22:26:35.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43429 (GCVE-0-2024-43429)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:15 – Updated: 2024-11-12 15:16
VLAI
EPSS
Title
Moodle: user information visibility control issues in gradebook reports
Summary
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.
Severity
5.3 (Medium)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304257 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461197 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:15:16.555262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:16:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the \"view hidden user fields\" capability having access to the information."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:15:00.784Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304257",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304257"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461197"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: user information visibility control issues in gradebook reports"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43429",
"datePublished": "2024-11-11T12:15:00.784Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:16:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43430 (GCVE-0-2024-43430)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:15 – Updated: 2024-11-12 15:01
VLAI
EPSS
Title
Moodle: lack of access control when using external methods for quiz overrides
Summary
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
Severity
5.3 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304258 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461198 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:57:03.948766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:22.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. External API access to Quiz can override contained insufficient access control."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:15:36.451Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304258",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304258"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461198"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: lack of access control when using external methods for quiz overrides"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43430",
"datePublished": "2024-11-11T12:15:36.451Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:01:22.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43431 (GCVE-0-2024-43431)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:27 – Updated: 2024-11-07 15:55
VLAI
EPSS
Title
Moodle: idor in badges allows deletion of arbitrary badges
Summary
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304259 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461199 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:53.002108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:55:57.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:27:07.968Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304259",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304259"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: idor in badges allows deletion of arbitrary badges",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43431",
"datePublished": "2024-11-07T13:27:07.968Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:55:57.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43432 (GCVE-0-2024-43432)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:16 – Updated: 2024-11-12 15:14
VLAI
EPSS
Title
Moodle: authorization headers preserved between "emulated redirects"
Summary
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
Severity
5.3 (Medium)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304260 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461200 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:06:57.126320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:14:27.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:16:04.901Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304260",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304260"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461200"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: authorization headers preserved between \"emulated redirects\""
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43432",
"datePublished": "2024-11-11T12:16:04.901Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:14:27.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43433 (GCVE-0-2024-43433)
Vulnerability from cvelistv5 – Published: 2024-11-11 12:16 – Updated: 2024-11-12 15:06
VLAI
EPSS
Title
Moodle: matrix user/power level management not always working as expected with suspended users
Summary
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
Severity
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304261 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461202 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:02:57.899042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:06:09.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:16:46.270Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304261",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304261"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461202"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: matrix user/power level management not always working as expected with suspended users"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43433",
"datePublished": "2024-11-11T12:16:46.270Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:06:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43434 (GCVE-0-2024-43434)
Vulnerability from cvelistv5 – Published: 2024-11-07 13:28 – Updated: 2024-11-07 15:56
VLAI
EPSS
Title
Moodle: csrf risk in feedback non-respondents report
Summary
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
Severity
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2304262 | issue-trackingx_refsource_REDHAT |
| https://moodle.org/mod/forum/discuss.php?d=461203 |
Impacted products
Date Public
2024-08-19 04:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:44.970094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:56:27.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The bulk message sending feature in Moodle\u0027s Feedback module\u0027s non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:28:27.671Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304262",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304262"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461203"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00.000Z",
"value": "Made public."
}
],
"title": "Moodle: csrf risk in feedback non-respondents report",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43434",
"datePublished": "2024-11-07T13:28:27.671Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:56:27.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…