Bug 2263853 (CVE-2024-1439)

Summary: CVE-2024-1439 moodle: Inadequate access control
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2263854, 2263855    
Bug Blocks:    

Description ybuenos 2024-02-12 12:46:32 UTC 
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle
Comment 1 ybuenos 2024-02-12 12:46:48 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 2263854]
Affects: fedora-all [bug 2263855]