CVE-2024-38273 – moodle/moodle

Package

Manager: composer
Name: moodle/moodle
Vulnerable Version: >=4.4.0-beta <4.4.1 || >=4.3.0-beta <4.3.5 || >=4.2.0-beta <4.2.8 || >=0 <4.1.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.3395

Details

Moodle BigBlueButton web service leaks meeting joining information Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Metadata

Created: 2024-06-18T21:30:36Z
Modified: 2024-11-05T18:34:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-x29x-qwvx-fxr2/GHSA-x29x-qwvx-fxr2.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-x29x-qwvx-fxr2
Finding: F039
Auto approve: 1