Inadequate access control vulnerability in Moodle

Posted date
12/02/2024
Importance
3 - Media
Affected Resources
  • Moodle LMS, versions 4.2 and prior.
Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting Moodle LMS, a learning management system, in its versions 4.2 and earlier, which has been discovered by David Utón Amaya.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-1439: 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | CWE-284.
Solution

There is no reported solution at this time.

Detail

CVE-2024-1439: inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

References list

botón arriba