5.3

CVE-2024-25983

Msa-24-0006: idor on dashboard comments block

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MoodleMoodle Version >= 4.1.0 < 4.1.9
MoodleMoodle Version >= 4.2.0 < 4.2.6
MoodleMoodle Version >= 4.3.0 < 4.3.3
FedoraprojectFedora Version38
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.6% 0.441
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
patrick@puiterwijk.org 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/
Mailing List
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300
Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2264099
Issue Tracking
https://moodle.org/mod/forum/discuss.php?d=455641
Vendor Advisory