Specialized Software

In Moodle versions starting from 0 before 4.1.0, from 4.1.0 before 4.1.14, from 4.2.0 before 4.2.11, from 4.3.0 before 4.3.8, and from 4.4.0 before 4.4.4 a medium severity vulnerability CVE-2024-48901 was detected. This vulnerability allows attackers to access and view the schedule of a report in Moodle without having the necessary permissions to edit it. To fix this issue, users should upgrade Moodle to versions 4.5.0-rc2 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-48901.

In Moodle versions prior to 4.1.14, from 4.2.0 before 4.2.11, from 4.3.0 before 4.3.8, and from 4.4.0 before 4.4.4 a medium severity vulnerability CVE-2024-48896 was detected. This vulnerability allows users with “send message” rights to see names of other users through an error message, even if they shouldn’t have access. The displayed name follows the site’s configured full-name format. To fix this issue, users need to update to versions 4.1.14, 4.2.11, 4.3.8, or 4.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-48896.

In Moodle versions 4.1.0 and above, prior to 4.1.12, 4.2.0 and above, prior to 4.2.9, 4.3.0 and above, prior to 4.3.6, 4.4.0 and above, prior to 4.4.2 a medium severity vulnerability CVE-2024-43439 was detected. This vulnerability allows H5P error messages to be exploited for cross-site scripting attacks, requiring improved sanitization. To fix this issue, users need to update to versions 4.1.12, 4.2.9, 4.3.6, 4.4.2, or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43439.

In Moodle versions 4.4.0 and above, prior to 4.4.2, 4.3.0 and above, prior to 4.3.6, 4.2.0 and above, prior to 4.2.9, 4.1.0 and above, prior to 4.1.12 a medium severity vulnerability CVE-2024-43429 was detected. This vulnerability makes some hidden profile fields visible in gradebook reports. This allows users who shouldn’t see hidden fields to access them. To fix this issue, users need to update to versions 4.4.2, 4.3.6, 4.2.9, 4.1.12, or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-43429.

In Moodle versions 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 a medium severity vulnerability CVE-2024-43437 was detected. This vulnerability allows attackers to inject malicious scripts into Moodle’s backup restore process, potentially leading to cross-site scripting attacks when users restore maliciously crafted backup files. To fix this issue, users should upgrade Moodle to version 4.4.2, 4.3.6, 4.2.9 and 4.1.12. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-43437.

In Virtual Programming Lab for Moodle versions up to v4.2.3 a medium severity vulnerability CVE-2024-34312 was detected. This issue allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to unauthorized access or manipulation of user data. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-34312.

In Moodle versions 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, and 4.1 to 4.1.10 a medium severity vulnerability, CVE-2024-38273, was detected. Affected versions of this package are vulnerable to improper access control due to insufficient checks, which can allow an attacker to gain unauthorized access to sensitive meeting URLs. To fix this issue, users need to upgrade Moodle to version 4.1.11, 4.2.8, 4.3.5, 4.4.1, or higher. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38273.

In Moodle a low severity vulnerability CVE-2024-38274 was detected. This issue allows harmful code to be stored in calendar event titles, posing a risk when deleting events due to improper handling of user input. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38274/.

In Moodle a low severity vulnerability CVE-2024-38276 was detected. This vulnerability allows attackers to steal sensitive data from users. There is no fix to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38276/.