Inadequate access control vulnerability in Moodle
Posted date 12/02/2024
Identificador
INCIBE-2024-0076
Importance
3 - Medium
Affected Resources
- Moodle LMS, versions 4.2 and prior.
Description
INCIBE has coordinated the publication of a medium severity vulnerability affecting Moodle LMS, a learning management system, in its versions 4.2 and earlier, which has been discovered by David Utón Amaya.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-1439: 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | CWE-284.
Solution
There is no reported solution at this time.
Detail
CVE-2024-1439: inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.
References list