CVE-2022-40316 — Missing Authorization in Moodle

CWE-862 — Missing Authorization CWE-668 — Resource Exposure4 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 63.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Extra Packages FOR Enterprise Linux Fedoraproject Fedora

Timeline

PublishedSep 30

Latest updateOct 1

Description

The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attempts/users in groups they should not have access to.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDmoodle/moodle3.9.0 — 3.9.17+2

▶Packagistmoodle/moodle3.9 — 3.9.17+2

▶CVEListV5moodle/moodle4.0 to 4.0.3, 3.11 to 3.11.9, 3.9 to 3.9.16 and earlier unsupported versions

▶NVDfedoraproject/extra_packages8.0

Also affects: Fedora 35, 36

Patches

Patch: bugzilla.redhat.com ↗Patch: moodle.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Moodle No groups filtering in H5P activity attempts report↗2022-10-01

▶

OSV

Moodle No groups filtering in H5P activity attempts report↗2022-10-01

▶

OSV

CVE-2022-40316: The H5P activity attempts report did not filter by groups, which in separate groups mode could reveal information to non-editing teachers about attemp↗2022-09-30

▶