CVE-2022-0984 — Incorrect Authorization in Moodle

CWE-863 — Incorrect Authorization CWE-416 — Use After Free6 documents5 sources

Severity

4.3MEDIUMNVD

CISA8.8

EPSS

0.2%

top 59.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Fedora Redhat Enterprise Linux

Timeline

PublishedApr 29

Latest updateMay 25

Description

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDmoodle/moodle3.9.0 — 3.9.13+2

▶Packagistmoodle/moodle3.11.0 — 3.11.6+2

▶CVEListV5moodle/moodlemoodle 3.11.6, moodle 3.10.10, moodle 3.9.13

Also affects: Fedora 34, 35, 36, Enterprise Linux 7.0

🔴Vulnerability Details

GHSA

Missing authorization in Moodle↗2022-04-30

▶

OSV

Missing authorization in Moodle↗2022-04-30

▶

OSV

CVE-2022-0984: Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field crite↗2022-04-29

▶

CVEList

CVE-2022-0984: Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field crite↗2022-04-29

▶

📋Vendor Advisories

CISA

Adobe Flash Player and AIR Use-After-Free Vulnerability↗2022-05-25

▶