Authorization Bypass Through User-Controlled Key

CVE-2024-48899

Medium

5.3/10

Summary

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they intended to have access to. This issue affects moodle/moodle versions 4.4.0-beta through 4.4.3, 4.5.0-beta, and 4.5.0-rc1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

Advisory
Advisory
Issue

Advisory Timeline

Published Nov 20, 2024

Authorization Bypass Through User-Controlled Key

CVE-2024-48899

Summary

CWE-639 - Authorization Bypass Through User-Controlled Key

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS