CVE-2021-43560

Published: Nov 22, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

Affected (6)

Products: Moodle: Moodle · Fedoraproject: Extra Packages For Enterprise Linux, Fedora

Moodle

1 product

Moodle

Fedoraproject

2 products

Extra Packages For Enterprise Linux

Fedora

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Moodle Moodle	Up to 3.8.8
Moodle Moodle	From 3.10.0 to 3.10.8
Moodle Moodle	From 3.11.0 to 3.11.4
Moodle Moodle	From 3.9.0 to 3.9.11

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Extra Packages For Enterprise Linux	Version 7.0
Fedoraproject Fedora	Version 35

Related CWEs

CWE-668

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=2021519

Source: patrick@puiterwijk.org

Issue TrackingThird Party Advisory

https://moodle.org/mod/forum/discuss.php?d=429100

Source: patrick@puiterwijk.org

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2021519

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://moodle.org/mod/forum/discuss.php?d=429100

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.