PT-2021-3113 · Moodle+1 · Moodle+1
Nadav Kavalerchik
·
Published
2021-05-10
·
Updated
2024-03-06
·
CVE-2021-32473
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Moodle versions 3.5 to 3.5.17
Moodle versions 3.8 to 3.8.8
Moodle versions 3.9 to 3.9.6
Moodle versions 3.10 to 3.10.3
Description
The issue exists due to insufficient input validation in the virtual learning environment. This allows a remote attacker to gain unauthorized access to protected information. Specifically, it was possible for a student to view their quiz grade before it had been released, using a quiz web service.
Recommendations
For Moodle versions 3.5 to 3.5.17, update to a version later than 3.5.17 to resolve the issue.
For Moodle versions 3.8 to 3.8.8, update to a version later than 3.8.8 to resolve the issue.
For Moodle versions 3.9 to 3.9.6, update to a version later than 3.9.6 to resolve the issue.
For Moodle versions 3.10 to 3.10.3, update to a version later than 3.10.3 to resolve the issue.
As a temporary workaround, consider restricting access to the quiz web service until a patch is available.
Fix
RCE
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Moodle