Information disclosure in Moodle - CVE-2024-55645
Published: December 17, 2024
Vulnerability identifier: #VU101808
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-55645
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: moodle.org
Affected software:
Moodle
Moodle
Detailed vulnerability description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to the email change confirmation token is available via preference. A remote user or attacker with physical access to the system can obtain the token and use it later to verify the email change without having access to the mailbox.
How to mitigate CVE-2024-55645
Install updates from vendor's website.