Lucene search

GitHub Advisory DatabaseGHSA-R82W-3PHG-QVR4

HistoryJun 18, 2024 - 9:30 p.m.

Moodle uses the same key for QR login and auto-login

2024-06-1821:30:36

CWE-324

GitHub Advisory Database

github.com

moodle

qr login

auto-login

unique key

software

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

A unique key should be generated for a user’s QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

Affected configurations

Vulners

Node

moodlemoodleRange<4.1.11

moodlemoodleRange<4.2.8

moodlemoodleRange<4.3.5

moodlemoodleRange<4.4.1

CPENameOperatorVersion
moodle/moodlelt4.1.11
moodle/moodlelt4.2.8
moodle/moodlelt4.3.5
moodle/moodlelt4.4.1

Name	Operator	Version
moodle/moodle	lt	4.1.11
moodle/moodle	lt	4.2.8
moodle/moodle	lt	4.3.5
moodle/moodle	lt	4.4.1

References

github.com/advisories/GHSA-r82w-3phg-qvr4

github.com/moodle/moodle/commit/0caedaab7cd5a46331d56654ce9301b0a5a04c56

github.com/moodle/moodle/commit/1aea4a15281d81f2414a95aa485b8a6551708f57

github.com/moodle/moodle/commit/ad46a97f5355f0451d52e9f1a0f528d9a6f12e06

github.com/moodle/moodle/commit/d05795db8eece2943241a29a5443fb4685ba6070

lists.fedoraproject.org/archives/list/[email protected]/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6

lists.fedoraproject.org/archives/list/[email protected]/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E

moodle.org/mod/forum/discuss.php?d=459502

nvd.nist.gov/vuln/detail/CVE-2024-38277