Lucene search

GoogleOSV:GHSA-9R26-5W88-QHP9

HistoryFeb 19, 2024 - 6:31 p.m.

Authorization Bypass in moodle

2024-02-1918:31:32

Google

osv.dev

moodle

authorization bypass

insufficient checks

web service

comments block

user dashboard

profile page

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

AI Score

Confidence

Low

EPSS

Percentile

15.5%

JSON

Insufficient checks in a web service made it possible to add comments to the comments block on another user’s dashboard when it was not otherwise available (e.g., on their profile page).

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300

bugzilla.redhat.com/show_bug.cgi?id=2264099

github.com/moodle/moodle

github.com/moodle/moodle/commit/4cae44dd0e9a7da47d08d9b75e0ebba0e4b422f4

lists.fedoraproject.org/archives/list/[email protected]/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB

moodle.org/mod/forum/discuss.php?d=455641

nvd.nist.gov/vuln/detail/CVE-2024-25983

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

AI Score

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for OSV:GHSA-9R26-5W88-QHP9