CVE-2024-38273 moodle: BigBlueButton web service leaks meeting joining information to users who should not have access

2024-06-1819:49:02

CWE-284

fedora

www.cve.org

cve-2024-38273

moodle

bigbluebutton

web service

leaks meeting joining

information

insufficient capability checks

permission access

0.0004 Low

EPSS

Percentile

9.1%

JSON

Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

CNA Affected

[
  {
    "vendor": "Moodle",
    "product": "Moodle",
    "versions": [
      {
        "status": "affected",
        "version": "4.4",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.3",
        "lessThanOrEqual": "4.3.4",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.2",
        "lessThanOrEqual": "4.2.7",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.1",
        "lessThanOrEqual": "4.1.10",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]