CVE-2024-25980

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2264096	Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/	Mailing List
https://moodle.org/mod/forum/discuss.php?d=455636	Vendor Advisory
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2264096	Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/	Mailing List
https://moodle.org/mod/forum/discuss.php?d=455636	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

History

23 Jan 2025, 16:47

Type	Values Removed	Values Added
CPE		cpe:2.3:o:fedoraproject:fedora:38:::::::* cpe:2.3:a:moodle:moodle::::::::
CWE		NVD-CWE-noinfo
First Time		Fedoraproject fedora Fedoraproject Moodle moodle Moodle
References	~~() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 -~~	() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 - Patch
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2264096 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2264096 - Issue Tracking
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/ - Mailing List
References	~~() https://moodle.org/mod/forum/discuss.php?d=455636 -~~	() https://moodle.org/mod/forum/discuss.php?d=455636 - Vendor Advisory

21 Nov 2024, 09:01

Type	Values Removed	Values Added
References	~~() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 -~~	() http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 -
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2264096 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2264096 -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/ -
References	~~() https://moodle.org/mod/forum/discuss.php?d=455636 -~~	() https://moodle.org/mod/forum/discuss.php?d=455636 -

29 Feb 2024, 03:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/ -

20 Feb 2024, 19:50

Type	Values Removed	Values Added
Summary		(es) Las restricciones del modo de grupos separados no se respetaron en el informe de intentos de H5P, que mostraría usuarios de otros grupos. De forma predeterminada, esto solo proporcionaba acceso adicional a los profesores que no eran editores.

19 Feb 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-19 17:15

Updated : 2025-01-23 16:47

NVD link : CVE-2024-25980

Mitre link : CVE-2024-25980

CVE.ORG link : CVE-2024-25980

JSON object : View

Products Affected

fedoraproject

fedora

moodle

moodle

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2024-25980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-02-19T17:15:09.023", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501", "tags": ["Patch"], "source": "patrick@puiterwijk.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264096", "tags": ["Issue Tracking"], "source": "patrick@puiterwijk.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/", "tags": ["Mailing List"], "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=455636", "tags": ["Vendor Advisory"], "source": "patrick@puiterwijk.org"}, {"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264096", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=455636", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers."}, {"lang": "es", "value": "Las restricciones del modo de grupos separados no se respetaron en el informe de intentos de H5P, que mostrar\u00eda usuarios de otros grupos. De forma predeterminada, esto solo proporcionaba acceso adicional a los profesores que no eran editores."}], "lastModified": "2025-01-23T16:47:04.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEC7A69A-C831-4087-B210-0C4DA13BA20B", "versionEndExcluding": "4.1.9", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCCA487E-E8A2-496D-8439-01D492B7E95C", "versionEndExcluding": "4.2.6", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "442D221B-7597-4FF2-A43E-ADFA21036DBE", "versionEndExcluding": "4.3.3", "versionStartIncluding": "4.3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}

4.3 /10