Bug 2264099 (CVE-2024-25983)
| Summary: | CVE-2024-25983 MSA-24-0006: IDOR on dashboard comments block | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | joedavenportjd25, nonalodiaasirei, security-response-team, Suzanne5681 |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | moodle 4.3.3, 4.2.6 and 4.1.9 | Doc Type: | --- |
| Doc Text: |
Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-03-22 15:30:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2264913, 2264914 | ||
| Bug Blocks: | 2264073 | ||
|
Description
Zack Miele
2024-02-13 21:39:35 UTC
Created moodle tracking bugs for this issue: Affects: epel-all [bug 2264914] Affects: fedora-all [bug 2264913] All of the existing tools will function as intended, and those that need to handle the additional groups can do so https://geometry-lite.co It functions flawlessly, based on my testing with both the new and edit comment features. Given how long the list of groups is, the only suggestion I would have would be to include a scroll bar. http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300 This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. This comment was flagged a spam, view the edit history to see the original text if required. https://google.com <a href="https://google.com/">google</a> [url=https://google.com/]google[/url] [link=https://google.com/]google[/link] [link name=google]https://google.com/[/link] ((https://google.com/)) ((https://google.com/ google)) [https://google.com/ google] [[https://google.com/ google]] [L=google]https://google.com/[/L] "google":https://google.com/ [google](https://google.com/) https://google.com <a href="https://google.com/">google</a> [url=https://google.com/]google[/url] [link=https://google.com/]google[/link] [link name=google]https://google.com/[/link] ((https://google.com/)) ((https://google.com/ google)) [https://google.com/ google] [[https://google.com/ google]] [L=google]https://google.com/[/L] "google":https://google.com/ [google](https://google.com/) [size=1][url=https://][color=white]google[/color][/url][/size] Your blog is simply amazing, congratulations on your great work! https://www.c4yourself.live/ |