Improper access control in Moodle - CVE-2021-20283

 

Improper access control in Moodle - CVE-2021-20283

Published: March 15, 2021


Vulnerability identifier: #VU51480
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-20283
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: moodle.org
Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course. A remote user can gain unauthorized access to the application.


How to mitigate CVE-2021-20283

Install updates from vendor's website.

Sources