Fedora 41 update for moodle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2024-55648 CVE-2024-55647 CVE-2024-55646 CVE-2024-55645 CVE-2024-55644 CVE-2024-55643 |
| CWE-ID | CWE-399 CWE-79 CWE-269 CWE-200 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system moodle Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU101811
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-55648
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling guest sessions. A remote attacker can create multiple guest sessions that have a longer timeout compared to regular user sessions and potentially perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
moodle: before 4.4.5-1.fc41
CPE2.3 External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-ddb5f7c0a3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU101810
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55647
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in question bank filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 41
moodle: before 4.4.5-1.fc41
CPE2.3 External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-ddb5f7c0a3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper privilege management
EUVDB-ID: #VU101809
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55646
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improper privilege management. In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 41
moodle: before 4.4.5-1.fc41
CPE2.3 External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-ddb5f7c0a3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU101808
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55645
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the email change confirmation token is available via preference. A remote user or attacker with physical access to the system can obtain the token and use it later to verify the email change without having access to the mailbox.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
moodle: before 4.4.5-1.fc41
CPE2.3 External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-ddb5f7c0a3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU101807
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55644
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions on the tag index page. A remote user can see users tagged with a tag regardless of whether they had access to view the users' profiles.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 41
moodle: before 4.4.5-1.fc41
CPE2.3 External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-ddb5f7c0a3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU101806
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-55643
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the learning plan web service. A remote user can bypass implemented security restrictions and gain access to sensitive information, such as usernames.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
moodle: before 4.4.5-1.fc41
CPE2.3 External linkshttp://bodhi.fedoraproject.org/updates/FEDORA-2024-ddb5f7c0a3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
