CVE-2024-33996 moodle: broken access control when setting calendar event type

2024-05-3119:29:07

CWE-20

fedora

www.cve.org

cve-2024-33996

moodle

calendar event type

access control

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

CNA Affected

[
  {
    "vendor": "Moodle",
    "product": "Moodle",
    "packageName": "Moodle",
    "versions": [
      {
        "status": "affected",
        "version": "4.0",
        "lessThanOrEqual": "4.3.3",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.2",
        "lessThanOrEqual": "4.2.6",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.1",
        "lessThanOrEqual": "4.1.9",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]