CVE-2021-43560 — Incorrect Authorization in Moodle

CWE-863 — Incorrect Authorization CWE-668 — Resource Exposure4 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 63.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Extra Packages FOR Enterprise Linux Fedoraproject Fedora

Timeline

PublishedNov 22

Latest updateMay 24

Description

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDmoodle/moodle3.9.0 — 3.9.11+3

▶Packagistmoodle/moodle3.9 — 3.9.11+2

▶CVEListV5moodle/moodlemoodle 3.11.4, moodle 3.10.8 and moodle 3.9.11

▶NVDfedoraproject/extra_packages7.0

Also affects: Fedora 35

Patches

Patch: moodle.org ↗Patch: moodle.org ↗

🔴Vulnerability Details

OSV

Moodle Insecure direct object reference (IDOR) in a calendar web service↗2022-05-24

▶

GHSA

Moodle Insecure direct object reference (IDOR) in a calendar web service↗2022-05-24

▶

OSV

CVE-2021-43560: A flaw was found in Moodle in versions 3↗2021-11-22

▶