CVE-2024-25980 — Improper Access Control in moodle

Description

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

How to fix CVE-2024-25980

To remediate CVE-2024-25980, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 4.1.9 or later
—upgrade to 4.3.3 or later

Is CVE-2024-25980 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
>= 4.3.0, < 4.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25980
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501
WEBbugzilla.redhat.com/show_bug.cgi?id=2264096
WEB