CVE-2024-25983

LOW

moodle 4.1.0-4.1.8 and 4.3.0-4.3.2 - Authorization Bypass in Comments Block Web Service

Title source: llm

Description

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

References (4)

Core 4

Core References

Patch

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300

Mailing List

https://lists.fedoraproject.org/archives/list/[email protected]/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/

Vendor Advisory

https://moodle.org/mod/forum/discuss.php?d=455641

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2264099

Scores

CVSS v3 3.5

EPSS 0.0060

EPSS Percentile 44.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

fedoraproject/fedora 38

moodle/moodle 4.1.0 - 4.1.9

moodle/moodle 4.3.0 - 4.3.3Packagist

Published Feb 19, 2024

Tracked Since Feb 18, 2026