Headline
CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events
A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users’ calendar action events.
Security announcements****MSA-21-0042: IDOR in a calendar web service allows fetching of other users’ action events
- ◀︎ MSA-21-0041: CSRF risk on delete related badge feature
- MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts ▶︎
Display mode
MSA-21-0042: IDOR in a calendar web service allows fetching of other users’ action events
by Michael Hawkins - Monday, 15 November 2021, 10:34 PM
Number of replies: 0
Insufficient capability checks made it possible to fetch other users’ calendar action events.
Severity/Risk:
Minor
Versions affected:
3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions
Versions fixed:
3.11.4, 3.10.8 and 3.9.11
Reported by:
0xkasper
CVE identifier:
CVE-2021-43560
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918
Tracker issue:
MDL-71918 IDOR in a calendar web service allows fetching of other users’ action events
Permalink
- ◀︎ MSA-21-0041: CSRF risk on delete related badge feature
- MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts ▶︎
◀︎ Issue Tracker
Jump to…
Social media ▶︎