CVE-2024-34008 – moodle: CSRF risk in analytics management of models
https://notcve.org/view.php?id=CVE-2024-34008
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk. Las acciones en la gestión administrativa de los modelos de análisis no incluyeron el token necesario para prevenir un riesgo CSRF. • https://moodle.org/mod/forum/discuss.php?d=458397 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-33996 – moodle: broken access control when setting calendar event type
https://notcve.org/view.php?id=CVE-2024-33996
Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to. La validación incorrecta de los tipos de eventos permitidos en un servicio web de calendario hizo posible que algunos usuarios crearan eventos con tipos/audiencias para los que no tenían permiso para publicar. • https://moodle.org/mod/forum/discuss.php?d=458384#p1840909 • CWE-20: Improper Input Validation •
CVE-2024-1439 – Inadequate access control vulnerability in Moodle
https://notcve.org/view.php?id=CVE-2024-1439
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent. Control de acceso inadecuado en Moodle LMS. Esta vulnerabilidad podría permitir que un usuario local con rol de estudiante cree eventos arbitrarios destinados a usuarios con roles superiores. • https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle • CWE-284: Improper Access Control •
CVE-2023-5543 – Moodle: duplicating a bigbluebutton activity assigns the same meeting id
https://notcve.org/view.php?id=CVE-2023-5543
When duplicating a BigBlueButton activity, the original meeting ID was also duplicated instead of using a new ID for the new activity. This could provide unintended access to the original meeting. Al duplicar una actividad de BigBlueButton, el ID de la reunión original también se duplicó en lugar de utilizar un nuevo ID para la nueva actividad. Esto podría proporcionar un acceso no deseado a la reunión original. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77795 https://bugzilla.redhat.com/show_bug.cgi?id=2243442 https://moodle.org/mod/forum/discuss.php?d=451584 • CWE-284: Improper Access Control •
CVE-2023-5551 – Moodle: forum summary report shows students from other groups when in separate groups mode
https://notcve.org/view.php?id=CVE-2023-5551
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups. Las restricciones del modo de grupos separados no se respetaron en el informe de resumen del foro, que mostraría usuarios de otros grupos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79310 https://bugzilla.redhat.com/show_bug.cgi?id=2243453 https://moodle.org/mod/forum/discuss.php?d=451592 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •