CVE-2024-1439

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle	Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:50

Type	Values Removed	Values Added
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle - Third Party Advisory~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~3.3~~	v2 : unknown v3 : 6.5

10 Oct 2024, 13:55

Type	Values Removed	Values Added
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle - Third Party Advisory
First Time		Moodle moodle Moodle
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:moodle:moodle::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 3.3

12 Feb 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-12 11:15

Updated : 2024-11-21 08:50

NVD link : CVE-2024-1439

Mitre link : CVE-2024-1439

CVE.ORG link : CVE-2024-1439

JSON object : View

Products Affected

moodle

moodle

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-1439", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2024-02-12T11:15:08.147", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}, {"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent."}, {"lang": "es", "value": "Control de acceso inadecuado en Moodle LMS. Esta vulnerabilidad podr\u00eda permitir que un usuario local con rol de estudiante cree eventos arbitrarios destinados a usuarios con roles superiores. Tambi\u00e9n podr\u00eda permitir al atacante agregar eventos al calendario de todos los usuarios sin su consentimiento previo."}], "lastModified": "2024-11-21T08:50:35.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A76BD816-1BB5-48BF-996B-8F4AD1BEE3CF", "versionEndIncluding": "4.2.11"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}