CVE-2021-20283

The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Published: Mar 15, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-20283
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
moodle / moodle	3.9.0	3.9.5
moodle / moodle	3.5.0	3.5.17
moodle / moodle	3.10.0	3.10.2
moodle / moodle	3.8.0	3.8.8
fedoraproject / fedora	32	32.x
fedoraproject / fedora	34	34.x

https://bugzilla.redhat.com/show_bug.cgi?id=1939051
https://lists.fedoraproject.org/archives/list/[email protected]/message/AFSNJ7XHVTC52RSRX2GBQFF3VEEAY2MS/
https://lists.fedoraproject.org/archives/list/[email protected]/message/UFH5DDMU5TZ3JT4Q52WMRAHACA5MHIMT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AFSNJ7XHVTC52RSRX2GBQFF3VEEAY2MS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFH5DDMU5TZ3JT4Q52WMRAHACA5MHIMT/
https://moodle.org/mod/forum/discuss.php?d=419654

Vulnerability Database

289,871

CVE-2021-20283