CVE-2024-48900 — Moodle IDOR when accessing list of badge recipients

Description

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

How to fix CVE-2024-48900

To remediate CVE-2024-48900, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 4.4.4 or later
—upgrade to 4.4.4 or later

Is CVE-2024-48900 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 4.4.0, < 4.4.4
>= 4.4.0, < 4.4.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-48900
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83178
WEBbugzilla.redhat.com/show_bug.cgi?id=2318818
WEB