CVE-2024-25983 — Authorization Bypass in moodle

Description

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

How to fix CVE-2024-25983

To remediate CVE-2024-25983, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 4.1.9 or later
—upgrade to 4.3.3 or later

Is CVE-2024-25983 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.1.9, >= 4.2.0, < 4.2.6, >= 4.3.0, < 4.3.3
>= 4.3.0, < 4.3.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25983
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300
WEBbugzilla.redhat.com/show_bug.cgi?id=2264099
WEB