PT-2021-5355 · Moodle+1 · Moodle+1
0Xkasper
·
Published
2021-11-10
·
Updated
2024-03-06
·
CVE-2021-43560
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Moodle versions 3.11 to 3.11.3
Moodle versions 3.10 to 3.10.7
Moodle versions 3.9 to 3.9.10
Moodle versions prior to 3.9
Description
A flaw was found in Moodle due to insufficient capability checks, making it possible to fetch other users' calendar action events. This issue is related to inadequate access control mechanisms, which could allow a remote attacker to elevate privileges.
Recommendations
For Moodle versions 3.11 to 3.11.3, update to a version later than 3.11.3 to resolve the issue.
For Moodle versions 3.10 to 3.10.7, update to a version later than 3.10.7 to resolve the issue.
For Moodle versions 3.9 to 3.9.10, update to a version later than 3.9.10 to resolve the issue.
For Moodle versions prior to 3.9, update to a supported version to resolve the issue.
As a temporary workaround, consider restricting access to calendar action events until a patch is available.
Fix
Incorrect Authorization
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Moodle