CVE-2021-20283

Description

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Related CPE's

a moodle moodle ********

o fedoraproject fedora 32 *******

o fedoraproject fedora 34 *******

References

https://moodle.org/mod/forum/discuss.php?d=419654

PatchVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1939051

Issue TrackingThird Party Advisory

FEDORA-2021-1c27e89d49

Mailing ListThird Party Advisory

FEDORA-2021-50f63a0161

Mailing ListThird Party Advisory

CvssV3 impact

Version	3.1
VectorString	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AttackVector	NETWORK
AttackComplexity	LOW
PrivilegesRequired	LOW
UserInteraction	NONE
Scope	UNCHANGED
ConfidentialityImpact	LOW
IntegrityImpact	NONE
AvailabilityImpact	NONE
BaseScore	4.3
BaseSeverity	MEDIUM

CvssV2 impact

Version	2.0
VectorString	AV:N/AC:L/Au:S/C:P/I:N/A:N
AccessVector	NETWORK
AccessComplexity	LOW
Authentication	SINGLE
ConfidentialityImpact	PARTIAL
IntegrityImpact	NONE
AvailabilityImpact	NONE
BaseScore	4

Created by Yello

About Severity.io