CVE-2023-23923

2023-02-1720:15:11

CWE-284

[email protected]

web.nvd.nist.gov

cve-2023-23923

moodle

vulnerability

unauthorized access

remote attacker

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

8.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.3%

JSON

The vulnerability was found Moodle which exists due to insufficient limitations on the “start page” preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

Affected configurations

NVD

Node

moodlemoodleRange3.9.0–3.9.19

moodlemoodleRange3.11.0–3.11.12

moodlemoodleRange4.0.0–4.0.6

moodlemoodleMatch4.1.0-

CPENameOperatorVersion
moodle:moodlemoodlelt3.9.19
moodle:moodlemoodlelt3.11.12
moodle:moodlemoodlelt4.0.6
moodle:moodlemoodleeq4.1.0

CPE	Name	Operator	Version
moodle:moodle	moodle	lt	3.9.19
moodle:moodle	moodle	lt	3.11.12
moodle:moodle	moodle	lt	4.0.6
moodle:moodle	moodle	eq	4.1.0

CNA Affected

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "4.1.0",
        "lessThan": "4.1.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.0.0",
        "lessThan": "4.0.6",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "3.11.0",
        "lessThan": "3.11.12",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "3.9.19",
        "versionType": "semver"
      }
    ],
    "packageName": "moodle",
    "collectionURL": "https://git.moodle.org",
    "defaultStatus": "unaffected"
  }
]