Inadequate access control vulnerability in Moodle

Posted date 12/02/2024
3 - Medium
Affected Resources
  • Moodle LMS, versions 4.2 and prior.

INCIBE has coordinated the publication of a medium severity vulnerability affecting Moodle LMS, a learning management system, in its versions 4.2 and earlier, which has been discovered by David Utón Amaya.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-1439: 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | CWE-284.

There is no reported solution at this time.


CVE-2024-1439: inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

References list