Lucene search

[email protected]NVD:CVE-2021-20283

HistoryMar 15, 2021 - 10:15 p.m.

CVE-2021-20283

2021-03-1522:15:13

CWE-862

CWE-863

[email protected]

web.nvd.nist.gov

web service

unauthorized access

enrolled courses

permissions

moodle

cve-2021-20283

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

40.5%

JSON

The web service responsible for fetching other users’ enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Affected configurations

Nvd

Node

moodlemoodleRange3.5.0–3.5.17

moodlemoodleRange3.8.0–3.8.8

moodlemoodleRange3.9.0–3.9.5

moodlemoodleRange3.10.0–3.10.2

Node

fedoraprojectfedoraMatch32

fedoraprojectfedoraMatch34

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::
fedoraproject	fedora	32	cpe:2.3:o:fedoraproject:fedora:32:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*