Main Vulnerability Database Vulnerabilities #VU101808

#VU101808 Information disclosure in Moodle - CVE-2024-55645

Published: December 17, 2024

Vulnerability identifier: #VU101808

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-55645

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Moodle

Software vendor:
moodle.org

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the email change confirmation token is available via preference. A remote user or attacker with physical access to the system can obtain the token and use it later to verify the email change without having access to the mailbox.

Remediation

Install updates from vendor's website.

External links

https://moodle.org/mod/forum/discuss.php?d=464556