CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38277 – moodle: QR login key and auto-login key for the Moodle mobile app should be generated as separate keys
https://notcve.org/view.php?id=CVE-2024-38277
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. Se debe generar una clave única para la clave de inicio de sesión QR de un usuario y su clave de inicio de sesión automático, de modo que la misma clave no se pueda usar indistintamente entre las dos. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E https://moodle.org/mod/forum/discuss.php?d=459502 • CWE-324: Use of a Key Past its Expiration Date •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38276 – moodle: CSRF risks due to misuse of confirm_sesskey
https://notcve.org/view.php?id=CVE-2024-38276
Incorrect CSRF token checks resulted in multiple CSRF risks. Las comprobaciones incorrectas de tokens CSRF dieron lugar a múltiples riesgos de CSRF. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E https://moodle.org/mod/forum/discuss.php?d=459501 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38275 – moodle: HTTP authorization header is preserved between "emulated redirects"
https://notcve.org/view.php?id=CVE-2024-38275
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. El contenedor cURL en Moodle retuvo los encabezados de solicitud originales al seguir redirecciones, por lo que la información del encabezado de autorización HTTP podría enviarse involuntariamente en solicitudes para redireccionar URL. • https://moodle.org/mod/forum/discuss.php?d=459500 • CWE-226: Sensitive Information in Resource Not Removed Before Reuse •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38274 – moodle: stored XSS via calendar's event title when deleting the event
https://notcve.org/view.php?id=CVE-2024-38274
Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. El escape insuficiente de los títulos de los eventos del calendario resultó en un riesgo XSS almacenado en el mensaje de eliminación del evento. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E https://moodle.org/mod/forum/discuss.php?d=459499 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38273 – moodle: BigBlueButton web service leaks meeting joining information to users who should not have access
https://notcve.org/view.php?id=CVE-2024-38273
Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access. Las comprobaciones de capacidad insuficientes significaron que era posible que los usuarios obtuvieran acceso a las URL de unión de BigBlueButton a las que no tenían permiso para acceder. • https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E https://moodle.org/mod/forum/discuss.php?d=459498 • CWE-284: Improper Access Control •