Bug 2243444 (CVE-2023-5545, MSA-23-0037) - CVE-2023-5545 moodle: Auto-populated H5P author name causes a potential information leak
Summary: CVE-2023-5545 moodle: Auto-populated H5P author name causes a potential infor...
Keywords:
Status: NEW
Alias: CVE-2023-5545, MSA-23-0037
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2244908 2244909
Blocks: 2243346
TreeView+ depends on / blocked
 
Reported: 2023-10-12 00:19 UTC by Robb Gatica
Modified: 2023-10-26 06:46 UTC (History)
2 users (show)

Fixed In Version: moodle 4.2.3, moodle 4.1.6, moodle 4.0.11, moodle 3.11.17, moodle 3.9.24
Doc Type: If docs needed, set a value
Doc Text:
H5P metadata automatically populated the author with the user's username, which could be sensitive information.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2023-10-12 00:19:47 UTC 
H5P metadata automatically populated the author with the user's username, which could be sensitive information. The flaw affects versions 4.2 to 4.2.2, 4.1 to 4.1.5, 4.0 to 4.0.10, 3.11 to 3.11.16, 3.9 to 3.9.23 and earlier unsupported versions.
Comment 2 Nick Tait 2023-10-18 18:50:18 UTC 
https://moodle.org/mod/forum/discuss.php?d=451586
Comment 3 Nick Tait 2023-10-18 20:46:09 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-7 [bug 2244908]
Affects: fedora-all [bug 2244909]
Note You need to log in before you can comment on or make changes to this bug.