Inadequate Access Control in Moodle LMS Could Allow Arbitrary Event Creation
CVE-2024-1439

3.3LOW

Key Information:

Vendor: Moodle
Status: LMS
Vendor: CVE Published:; 12 February 2024

Summary

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

Affected Version(s)

LMS 0 <= 4.2

References

https://www.incibe.es/en/incibe-cert/notices/aviso/inadeq...

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 12, 2024
Vulnerability Reserved
Feb 12, 2024

Credit

David Utón Amaya