CVE-2024-1439

MEDIUM severity · CVSS 6.5 · Improper access control

6.5CVSS MEDIUM

Summary

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactNone

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products we track (1)

Moodle

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodleAdvisory
https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodleAdvisory