CVE-2024-25980

MEDIUM

moodle 4.1.0-4.1.8, 4.3.0-4.3.2 - Improper Access Control in H5P Attempts Report

Title source: llm

Description

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

References (4)

Core 4

Core References

Patch

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/

Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=455636

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2264096

Scores

CVSS v3 4.3

EPSS 0.0017

EPSS Percentile 37.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (3)

fedoraproject/fedora 38

moodle/moodle 4.1.0 - 4.1.9

moodle/moodle 4.3.0 - 4.3.3Packagist

Published Feb 19, 2024

Tracked Since Feb 18, 2026