CVE-2024-25983 - Vulnerability Details - OpenCVE

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Fedora
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300
https://bugzilla.redhat.com/show_bug.cgi?id=2264099
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/
https://moodle.org/mod/forum/discuss.php?d=455641

History

Thu, 23 Jan 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fedoraproject Fedoraproject fedora Moodle Moodle moodle
CPEs		cpe:2.3:a:moodle:moodle:::::::: cpe:2.3:o:fedoraproject:fedora:38:::::::*
Vendors & Products		Fedoraproject Fedoraproject fedora Moodle Moodle moodle

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2024-02-19T16:32:58.729Z

Updated: 2024-08-01T23:52:06.541Z

Reserved: 2024-02-13T18:10:15.371Z

Link: CVE-2024-25983

Vulnrichment

Updated: 2024-08-01T23:52:06.541Z

NVD

Status : Analyzed

Published: 2024-02-19T17:15:09.697

Modified: 2025-01-23T17:37:14.453

Link: CVE-2024-25983

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25983", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2024-02-13T18:10:15.371Z", "datePublished": "2024-02-19T16:32:58.729Z", "dateUpdated": "2024-08-01T23:52:06.541Z"}, "containers": {"cna": {"title": "Msa-24-0006: idor on dashboard comments block", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page)."}], "affected": [{"versions": [{"status": "affected", "version": "4.3.0", "lessThan": "4.3.3", "versionType": "semver"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.6", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "4.1.9", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099", "name": "RHBZ#2264099", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=455641"}], "datePublic": "2024-02-19T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key", "timeline": [{"lang": "en", "time": "2024-02-13T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-19T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank BA7MAN for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:51:01.502Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T18:32:00.576712Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:47.462Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:52:06.541Z"}, "title": "CVE Program Container", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099", "name": "RHBZ#2264099", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/", "tags": ["x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=455641", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099", "name": "RHBZ#2264099", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/", "tags": ["x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=455641", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:52:06.541Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T18:32:00.576712Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:39.979Z"}}], "cna": {"title": "Msa-24-0006: idor on dashboard comments block", "credits": [{"lang": "en", "value": "Red Hat would like to thank BA7MAN for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "4.3.0", "lessThan": "4.3.3", "versionType": "semver"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.6", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "4.1.9", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-02-13T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-19T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-02-19T00:00:00+00:00", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099", "name": "RHBZ#2264099", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=455641"}], "descriptions": [{"lang": "en", "value": "Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:51:01.502Z"}, "x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"}}, "cveMetadata": {"cveId": "CVE-2024-25983", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:52:06.541Z", "dateReserved": "2024-02-13T18:10:15.371Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2024-02-19T16:32:58.729Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "CEC7A69A-C831-4087-B210-0C4DA13BA20B", "versionEndExcluding": "4.1.9", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCCA487E-E8A2-496D-8439-01D492B7E95C", "versionEndExcluding": "4.2.6", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "442D221B-7597-4FF2-A43E-ADFA21036DBE", "versionEndExcluding": "4.3.3", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available (e.g., on their profile page)."}, {"lang": "es", "value": "Las comprobaciones insuficientes en un servicio web hicieron posible agregar comentarios al bloque de comentarios en el panel de otro usuario cuando de otro modo no estaba disponible (por ejemplo, en su p\u00e1gina de perfil)."}], "id": "CVE-2024-25983", "lastModified": "2025-01-23T17:37:14.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-19T17:15:09.697", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300"}, {"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099"}, {"source": "patrick@puiterwijk.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=455641"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78300"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264099"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=455641"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}