Improper Authorization Affecting moodle/moodle package, versions <3.6.7 >=3.7.0-beta, <3.7.3
Threat Intelligence
EPSS
0.08% (34th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-MOODLEMOODLE-6809180
- published 6 May 2024
- disclosed 24 May 2022
- credit Juan Leyva
Introduced: 24 May 2022
CVE-2019-14883 Open this link in a new tabHow to fix?
Upgrade moodle/moodle
to version 3.6.7, 3.7.3 or higher.
Overview
moodle/moodle is a learning platform.
Affected versions of this package are vulnerable to Improper Authorization due to missing checks for a deactivated user's email media URL tokens in the require_user_key_login()
function. An attacker in possession of a specific file path and a valid token can expose inline attachments in email notifications.
References
CVSS Scores
version 3.1