CVE-2024-25980

Msa-24-0003: h5p attempts report did not respect activity group settings

CVSS 4.3 MEDIUMEPSS 0.5%CWE-284

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

19 Feb 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

moodle

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80501 https://bugzilla.redhat.com/show_bug.cgi?id=2264096 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/https://moodle.org/mod/forum/discuss.php?d=455636