2309940 – (CVE-2024-45691) CVE-2024-45691 moodle: Lesson activity password bypass through PHP loose comparison

Bug 2309940 (CVE-2024-45691) - CVE-2024-45691 moodle: Lesson activity password bypass through PHP loose comparison

Summary: CVE-2024-45691 moodle: Lesson activity password bypass through PHP loose comp...

Keywords:
Status:	NEW
Alias:	CVE-2024-45691
Deadline:	2024-09-09
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2311428
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-04 22:14 UTC by OSIDB Bzimport
Modified:	2024-11-25 19:27 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-09-04 22:14:10 UTC

When restricting access to a Lesson activity with a password, certain passwords could be bypassed/less secure due to a loose comparison in the password checking logic.                  (Note: this only affected passwords that are set to "magic hash" values. These are certain values where a loose comparison in the code can result in multiple values "matching" the password, instead of the expected behaviour that only an exact match for the password will be accepted).

Note You need to log in before you can comment on or make changes to this bug.