Lucene search

GoogleOSV:GHSA-HH52-G5C4-WPRH

HistoryMar 23, 2023 - 9:30 p.m.

Moodle may allow authenticated users to enumerate other user's names via learning plans page

2023-03-2321:30:18

Google

osv.dev

moodle

user enumeration

learning plans

authenticated users

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

21.0%

JSON

Authenticated users were able to enumerate other users’ names via the learning plans page.

References

bugzilla.redhat.com/show_bug.cgi?id=2179423

git.moodle.org/gw?p=moodle.git;a=commit;h=0e3c8eb740e1e49a62a5f452cda7e06258712bbf

github.com/moodle/moodle

github.com/moodle/moodle/commit/0e3c8eb740e1e49a62a5f452cda7e06258712bbf

moodle.org/mod/forum/discuss.php?d=445066

nvd.nist.gov/vuln/detail/CVE-2023-28334

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

21.0%

JSON

Related for OSV:GHSA-HH52-G5C4-WPRH