CVE-2021-20282

Description

When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Related CPE's

amoodlemoodle********

amoodlemoodle********

amoodlemoodle********

amoodlemoodle********

ofedoraprojectfedora32*******

ofedoraprojectfedora34*******

References

https://moodle.org/mod/forum/discuss.php?d=419653

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1939046

Issue TrackingThird Party Advisory

FEDORA-2021-1c27e89d49

Mailing ListThird Party Advisory

FEDORA-2021-50f63a0161

Mailing ListThird Party Advisory

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AttackVector

NETWORK

AttackComplexity

LOW

PrivilegesRequired

NONE

UserInteraction

NONE

Scope

UNCHANGED

ConfidentialityImpact

NONE

IntegrityImpact

LOW

AvailabilityImpact

NONE

BaseScore

5.3

BaseSeverity

MEDIUM

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:L/Au:N/C:N/I:P/A:N

AccessVector

NETWORK

AccessComplexity

LOW

Authentication

NONE

ConfidentialityImpact

NONE

IntegrityImpact

PARTIAL

AvailabilityImpact

NONE

BaseScore

5

Created by Yello
About Severity.io