CVE-2024-43438

A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2304267	Permissions Required
https://moodle.org/mod/forum/discuss.php?d=461208	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

History

05 Aug 2025, 18:36

Type	Values Removed	Values Added
First Time		Moodle Moodle moodle
CPE		cpe:2.3:a:moodle:moodle::::::::
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2304267 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2304267 - Permissions Required
References	~~() https://moodle.org/mod/forum/discuss.php?d=461208 -~~	() https://moodle.org/mod/forum/discuss.php?d=461208 - Vendor Advisory

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) Se encontró una falla en Feedback. Los mensajes masivos en el informe de no participantes de la actividad no verificaban los destinatarios de los mensajes que pertenecían al conjunto de usuarios que devolvía el informe.

07 Nov 2024, 17:35

Type	Values Removed	Values Added
CWE		CWE-639

07 Nov 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 14:15

Updated : 2025-08-05 18:36

NVD link : CVE-2024-43438

Mitre link : CVE-2024-43438

CVE.ORG link : CVE-2024-43438

JSON object : View

Products Affected

moodle

moodle

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-43438", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-07T14:15:16.430", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304267", "tags": ["Permissions Required"], "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=461208", "tags": ["Vendor Advisory"], "source": "patrick@puiterwijk.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Feedback. Los mensajes masivos en el informe de no participantes de la actividad no verificaban los destinatarios de los mensajes que pertenec\u00edan al conjunto de usuarios que devolv\u00eda el informe."}], "lastModified": "2025-08-05T18:36:38.067", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C7D59EF-3215-477B-8056-B3954A4064D0", "versionEndExcluding": "4.1.12", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8D123FB-556C-4602-91CB-ABE6541079F3", "versionEndExcluding": "4.2.9", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBA8C381-9493-42BD-A5EA-7AADFAB68C5E", "versionEndExcluding": "4.3.6", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "277E1058-2F00-45DB-8BFC-2628CCC89981", "versionEndExcluding": "4.4.2", "versionStartIncluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}