Lucene search

GitHub Advisory DatabaseGHSA-HH52-G5C4-WPRH

HistoryMar 23, 2023 - 9:30 p.m.

Moodle may allow authenticated users to enumerate other user's names via learning plans page

2023-03-2321:30:18

CWE-200

CWE-639

GitHub Advisory Database

github.com

moodle

authenticated users

enumerate

learning plans

risk

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

21.0%

JSON

Authenticated users were able to enumerate other users’ names via the learning plans page.

Affected configurations

Vulners

Node

moodlemoodleRange<3.9.20

moodlemoodleRange3.11.0–3.11.13

moodlemoodleRange4.0.0–4.0.7

moodlemoodleRange4.1.0–4.1.2

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::

References

bugzilla.redhat.com/show_bug.cgi?id=2179423

git.moodle.org/gw?p=moodle.git;a=commit;h=0e3c8eb740e1e49a62a5f452cda7e06258712bbf

github.com/advisories/GHSA-hh52-g5c4-wprh

github.com/moodle/moodle/commit/0e3c8eb740e1e49a62a5f452cda7e06258712bbf

moodle.org/mod/forum/discuss.php?d=445066

nvd.nist.gov/vuln/detail/CVE-2023-28334

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

21.0%

JSON

Related for GHSA-HH52-G5C4-WPRH