CVE-2024-33996

MEDIUM severity · CVSS 6.2 · Improper input validation

6.2CVSS MEDIUM

Summary

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredHigh

User interactionRequired

Confidentiality impactNone

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

Affected products we track (1)

Moodle

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://moodle.org/mod/forum/discuss.php?d=458384#p1840909Advisory
https://moodle.org/mod/forum/discuss.php?d=458384#p1840909Advisory