cvelistv5 - cve-2024-45690

CVE-2024-45690 (GCVE-0-2024-45690)

Vulnerability from cvelistv5

Published

2024-11-20 10:23

Modified

2024-11-27 14:15

Severity ?

Summary

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

References

URL

Tags

	patrick@puiterwijk.org	https://bugzilla.redhat.com/show_bug.cgi?id=2309939	Issue Tracking
	patrick@puiterwijk.org	https://moodle.org/security/	Vendor Advisory

Impacted products

	Vendor	Product	Version
			Version: 0 ≤ Version: 4.2 ≤ Version: 4.3 ≤ Version: 4.4 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "moodle",
            "vendor": "moodle",
            "versions": [
              {
                "lessThan": "4.1.13",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              },
              {
                "lessThan": "4.2.10",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              },
              {
                "lessThan": "4.3.7",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              },
              {
                "lessThan": "4.4.3",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-45690",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-27T14:15:47.908173Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-276",
                "description": "CWE-276 Incorrect Default Permissions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-27T14:15:55.442Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/moodle/moodle",
          "defaultStatus": "unaffected",
          "packageName": "moodle",
          "versions": [
            {
              "lessThan": "4.1.13",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.2.10",
              "status": "affected",
              "version": "4.2",
              "versionType": "semver"
            },
            {
              "lessThan": "4.3.7",
              "status": "affected",
              "version": "4.3",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4.3",
              "status": "affected",
              "version": "4.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2024-09-09T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-20T10:23:38.420Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "name": "RHBZ#2309939",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309939"
        },
        {
          "url": "https://moodle.org/security/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-04T22:08:34.101000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-09-09T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Moodle: idor when deleting oauth2 linked accounts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2024-45690",
    "datePublished": "2024-11-20T10:23:38.420Z",
    "dateReserved": "2024-09-04T22:00:30.976Z",
    "dateUpdated": "2024-11-27T14:15:55.442Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-45690\",\"sourceIdentifier\":\"patrick@puiterwijk.org\",\"published\":\"2024-11-20T11:15:05.413\",\"lastModified\":\"2025-06-02T15:34:48.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una falla en Moodle. Se requirieron verificaciones adicionales para garantizar que los usuarios solo puedan eliminar sus cuentas vinculadas a OAuth2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.1.13\",\"matchCriteriaId\":\"FFA99B07-9756-4DF8-A807-72D175B485F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.10\",\"matchCriteriaId\":\"9BA66423-C6E4-4083-A957-D8DAC924FA7D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.3.0\",\"versionEndExcluding\":\"4.3.7\",\"matchCriteriaId\":\"22C8E2F5-D5D6-4309-91AB-C5AF23255D2C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.4.3\",\"matchCriteriaId\":\"5CD03E57-232E-442C-B1E0-9C0974006F78\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2309939\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://moodle.org/security/\",\"source\":\"patrick@puiterwijk.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45690\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-27T14:15:47.908173Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*\"], \"vendor\": \"moodle\", \"product\": \"moodle\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.1.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.2.10\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.3.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.4.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-276\", \"description\": \"CWE-276 Incorrect Default Permissions\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-27T14:15:16.951Z\"}}], \"cna\": {\"title\": \"Moodle: idor when deleting oauth2 linked accounts\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.1.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.2\", \"lessThan\": \"4.2.10\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.3\", \"lessThan\": \"4.3.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.4\", \"lessThan\": \"4.4.3\", \"versionType\": \"semver\"}], \"packageName\": \"moodle\", \"collectionURL\": \"https://github.com/moodle/moodle\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-09-04T22:08:34.101000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2024-09-09T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2024-09-09T00:00:00+00:00\", \"references\": [{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2309939\", \"name\": \"RHBZ#2309939\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://moodle.org/security/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.\"}], \"providerMetadata\": {\"orgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"shortName\": \"fedora\", \"dateUpdated\": \"2024-11-20T10:23:38.420Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-45690\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-27T14:15:55.442Z\", \"dateReserved\": \"2024-09-04T22:00:30.976Z\", \"assignerOrgId\": \"92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5\", \"datePublished\": \"2024-11-20T10:23:38.420Z\", \"assignerShortName\": \"fedora\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-45690

Vulnerability from fkie_nvd

Published

2024-11-20 11:15

Modified

2025-06-02 15:34

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

References

	URL	Tags
	patrick@puiterwijk.org	https://bugzilla.redhat.com/show_bug.cgi?id=2309939	Issue Tracking
	patrick@puiterwijk.org	https://moodle.org/security/	Vendor Advisory

Impacted products

Vendor	Product	Version
moodle	moodle	*
moodle	moodle	*
moodle	moodle	*
moodle	moodle	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFA99B07-9756-4DF8-A807-72D175B485F8",
              "versionEndExcluding": "4.1.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BA66423-C6E4-4083-A957-D8DAC924FA7D",
              "versionEndExcluding": "4.2.10",
              "versionStartIncluding": "4.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "22C8E2F5-D5D6-4309-91AB-C5AF23255D2C",
              "versionEndExcluding": "4.3.7",
              "versionStartIncluding": "4.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CD03E57-232E-442C-B1E0-9C0974006F78",
              "versionEndExcluding": "4.4.3",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Moodle. Se requirieron verificaciones adicionales para garantizar que los usuarios solo puedan eliminar sus cuentas vinculadas a OAuth2."
    }
  ],
  "id": "CVE-2024-45690",
  "lastModified": "2025-06-02T15:34:48.510",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-20T11:15:05.413",
  "references": [
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309939"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://moodle.org/security/"
    }
  ],
  "sourceIdentifier": "patrick@puiterwijk.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

ghsa-fhg2-r2h9-h7q8

Vulnerability from github

Published

2024-11-20 12:30

Modified

2024-11-27 15:33

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Moodle IDOR when deleting OAuth2 linked accounts

Details

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0-beta"
            },
            {
              "fixed": "4.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0-beta"
            },
            {
              "fixed": "4.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-beta"
            },
            {
              "fixed": "4.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-20T18:25:21Z",
    "nvd_published_at": "2024-11-20T11:15:05Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.",
  "id": "GHSA-fhg2-r2h9-h7q8",
  "modified": "2024-11-27T15:33:01Z",
  "published": "2024-11-20T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/809629e5afcd5be087e65668fe6cf67f2f4f5145"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309939"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=461895#p1854492"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Moodle IDOR when deleting OAuth2 linked accounts"
}

De multiples vulnérabilités ont été découvertes dans Moodle. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Moodle	Moodle	Moodle versions 4.3.x antérieures à 4.3.7
Moodle	Moodle	Moodle versions 4.1.x antérieures à 4.1.13
Moodle	Moodle	Moodle versions 4.4.x antérieures à 4.4.3
Moodle	Moodle	Moodle versions 4.2.x antérieures à 4.2.10

References

Title

Publication Time

WID-SEC-W-2024-2092

Vulnerability from csaf_certbund

Published

2024-09-09 22:00

Modified

2024-09-09 22:00

Summary

Moodle: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Moodle ist ein Software-Paket, um internetbasierte Kurse zu entwickeln und durchzuführen. Es ist ein globales Softwareentwicklungsprojekt, das einen konstruktivistischen Lehr- und Lernansatz unterstützt.

Angriff

Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um Informationen offenzulegen, beliebige mit OAuth2 verknüpfte Konten zu löschen oder den Passwortschutz zu umgehen.

Betroffene Betriebssysteme

- Linux - Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Moodle ist ein Software-Paket, um internetbasierte Kurse zu entwickeln und durchzuf\u00fchren. Es ist ein globales Softwareentwicklungsprojekt, das einen konstruktivistischen Lehr- und Lernansatz unterst\u00fctzt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um Informationen offenzulegen, beliebige mit OAuth2 verkn\u00fcpfte Konten zu l\u00f6schen oder den Passwortschutz zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-2092 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-2092.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-2092 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2092"
      },
      {
        "category": "external",
        "summary": "Moodle Security announcements vom 2024-09-09",
        "url": "https://moodle.org/mod/forum/discuss.php?d=461894"
      },
      {
        "category": "external",
        "summary": "Moodle Security announcements vom 2024-09-09",
        "url": "https://moodle.org/mod/forum/discuss.php?d=461895"
      },
      {
        "category": "external",
        "summary": "Moodle Security announcements vom 2024-09-09",
        "url": "https://moodle.org/mod/forum/discuss.php?d=461897"
      }
    ],
    "source_lang": "en-US",
    "title": "Moodle: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-09-09T22:00:00.000+00:00",
      "generator": {
        "date": "2024-09-10T11:04:56.254+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.6"
        }
      },
      "id": "WID-SEC-W-2024-2092",
      "initial_release_date": "2024-09-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-09-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.4.3",
                "product": {
                  "name": "Open Source Moodle \u003c4.4.3",
                  "product_id": "T037392"
                }
              },
              {
                "category": "product_version",
                "name": "4.4.3",
                "product": {
                  "name": "Open Source Moodle 4.4.3",
                  "product_id": "T037392-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.4.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.3.7",
                "product": {
                  "name": "Open Source Moodle \u003c4.3.7",
                  "product_id": "T037393"
                }
              },
              {
                "category": "product_version",
                "name": "4.3.7",
                "product": {
                  "name": "Open Source Moodle 4.3.7",
                  "product_id": "T037393-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.3.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.2.10",
                "product": {
                  "name": "Open Source Moodle \u003c4.2.10",
                  "product_id": "T037394"
                }
              },
              {
                "category": "product_version",
                "name": "4.2.10",
                "product": {
                  "name": "Open Source Moodle 4.2.10",
                  "product_id": "T037394-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.2.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.1.13",
                "product": {
                  "name": "Open Source Moodle \u003c4.1.13",
                  "product_id": "T037395"
                }
              },
              {
                "category": "product_version",
                "name": "4.1.13",
                "product": {
                  "name": "Open Source Moodle 4.1.13",
                  "product_id": "T037395-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.1.13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Moodle"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-45689",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Moodle. Dieser Fehler existiert in den dynamischen Tabellen wegen einer unzureichenden Pr\u00fcfung, die es erlaubt, Informationen ohne die richtige Berechtigung abzurufen. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037392",
          "T037393",
          "T037394",
          "T037395"
        ]
      },
      "release_date": "2024-09-09T22:00:00.000+00:00",
      "title": "CVE-2024-45689"
    },
    {
      "cve": "CVE-2024-45690",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Moodle. Dieser Fehler existiert wegen einer unsicheren direkten Objektreferenz. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um beliebige OAuth2 verkn\u00fcpfte Konten zu l\u00f6schen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037392",
          "T037393",
          "T037394",
          "T037395"
        ]
      },
      "release_date": "2024-09-09T22:00:00.000+00:00",
      "title": "CVE-2024-45690"
    },
    {
      "cve": "CVE-2024-45691",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Moodle. Dieser Fehler existiert wegen eines losen Vergleichs in der Logik der Passwortpr\u00fcfung. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Passw\u00f6rter f\u00fcr die Lektionsaktivit\u00e4t zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037392",
          "T037393",
          "T037394",
          "T037395"
        ]
      },
      "release_date": "2024-09-09T22:00:00.000+00:00",
      "title": "CVE-2024-45691"
    }
  ]
}

wid-sec-w-2024-2092

Vulnerability from csaf_certbund

Published

2024-09-09 22:00

Modified

2024-09-09 22:00

Summary

Moodle: Mehrere Schwachstellen

Notes

Produktbeschreibung

Angriff

Betroffene Betriebssysteme

- Linux - Sonstiges - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Moodle ist ein Software-Paket, um internetbasierte Kurse zu entwickeln und durchzuf\u00fchren. Es ist ein globales Softwareentwicklungsprojekt, das einen konstruktivistischen Lehr- und Lernansatz unterst\u00fctzt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentifizierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um Informationen offenzulegen, beliebige mit OAuth2 verkn\u00fcpfte Konten zu l\u00f6schen oder den Passwortschutz zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-2092 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-2092.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-2092 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2092"
      },
      {
        "category": "external",
        "summary": "Moodle Security announcements vom 2024-09-09",
        "url": "https://moodle.org/mod/forum/discuss.php?d=461894"
      },
      {
        "category": "external",
        "summary": "Moodle Security announcements vom 2024-09-09",
        "url": "https://moodle.org/mod/forum/discuss.php?d=461895"
      },
      {
        "category": "external",
        "summary": "Moodle Security announcements vom 2024-09-09",
        "url": "https://moodle.org/mod/forum/discuss.php?d=461897"
      }
    ],
    "source_lang": "en-US",
    "title": "Moodle: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-09-09T22:00:00.000+00:00",
      "generator": {
        "date": "2024-09-10T11:04:56.254+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.6"
        }
      },
      "id": "WID-SEC-W-2024-2092",
      "initial_release_date": "2024-09-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-09-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c4.4.3",
                "product": {
                  "name": "Open Source Moodle \u003c4.4.3",
                  "product_id": "T037392"
                }
              },
              {
                "category": "product_version",
                "name": "4.4.3",
                "product": {
                  "name": "Open Source Moodle 4.4.3",
                  "product_id": "T037392-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.4.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.3.7",
                "product": {
                  "name": "Open Source Moodle \u003c4.3.7",
                  "product_id": "T037393"
                }
              },
              {
                "category": "product_version",
                "name": "4.3.7",
                "product": {
                  "name": "Open Source Moodle 4.3.7",
                  "product_id": "T037393-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.3.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.2.10",
                "product": {
                  "name": "Open Source Moodle \u003c4.2.10",
                  "product_id": "T037394"
                }
              },
              {
                "category": "product_version",
                "name": "4.2.10",
                "product": {
                  "name": "Open Source Moodle 4.2.10",
                  "product_id": "T037394-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.2.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c4.1.13",
                "product": {
                  "name": "Open Source Moodle \u003c4.1.13",
                  "product_id": "T037395"
                }
              },
              {
                "category": "product_version",
                "name": "4.1.13",
                "product": {
                  "name": "Open Source Moodle 4.1.13",
                  "product_id": "T037395-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:moodle:4.1.13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Moodle"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-45689",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Moodle. Dieser Fehler existiert in den dynamischen Tabellen wegen einer unzureichenden Pr\u00fcfung, die es erlaubt, Informationen ohne die richtige Berechtigung abzurufen. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037392",
          "T037393",
          "T037394",
          "T037395"
        ]
      },
      "release_date": "2024-09-09T22:00:00.000+00:00",
      "title": "CVE-2024-45689"
    },
    {
      "cve": "CVE-2024-45690",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Moodle. Dieser Fehler existiert wegen einer unsicheren direkten Objektreferenz. Ein entfernter authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um beliebige OAuth2 verkn\u00fcpfte Konten zu l\u00f6schen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037392",
          "T037393",
          "T037394",
          "T037395"
        ]
      },
      "release_date": "2024-09-09T22:00:00.000+00:00",
      "title": "CVE-2024-45690"
    },
    {
      "cve": "CVE-2024-45691",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Moodle. Dieser Fehler existiert wegen eines losen Vergleichs in der Logik der Passwortpr\u00fcfung. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um Passw\u00f6rter f\u00fcr die Lektionsaktivit\u00e4t zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T037392",
          "T037393",
          "T037394",
          "T037395"
        ]
      },
      "release_date": "2024-09-09T22:00:00.000+00:00",
      "title": "CVE-2024-45691"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-45690 (GCVE-0-2024-45690)

Vulnerability from cvelistv5

fkie_cve-2024-45690

Vulnerability from fkie_nvd

ghsa-fhg2-r2h9-h7q8

Vulnerability from github

CERTFR-2024-AVI-0756

Vulnerability from certfr_avis

Solutions

WID-SEC-W-2024-2092

Vulnerability from csaf_certbund

wid-sec-w-2024-2092

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature