CVE-2023-23923

HIGH

Moodle < 3.9.19 - Improper Access Control via Start Page Preference

Title source: llm

Description

The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

References (3)

Core 3

Core References

Patch

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862

Issue Tracking, Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2162549

Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=443274#p1782023

Scores

CVSS v3 8.2

EPSS 0.0032

EPSS Percentile 55.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

moodle/moodle 4.1.0

moodle/moodle 0 - 3.9.19Packagist

moodle/moodle 3.9.0 - 3.9.19

Published Feb 17, 2023

Tracked Since Feb 18, 2026