Headline

CVE-2021-43560: IDOR in a calendar web service allows fetching of other users' action events

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users’ calendar action events.

3 years ago

CVE

Open in Source

#sql #csrf #web #git

Security announcements****MSA-21-0042: IDOR in a calendar web service allows fetching of other users’ action events

◀︎ MSA-21-0041: CSRF risk on delete related badge feature
MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts ▶︎

Display mode

MSA-21-0042: IDOR in a calendar web service allows fetching of other users’ action events

by Michael Hawkins - Monday, 15 November 2021, 10:34 PM

Number of replies: 0

Insufficient capability checks made it possible to fetch other users’ calendar action events.

Severity/Risk:

Minor

Versions affected:

3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions

Versions fixed:

3.11.4, 3.10.8 and 3.9.11

Reported by:

0xkasper

CVE identifier:

CVE-2021-43560

Changes (master):

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71918

Tracker issue:

MDL-71918 IDOR in a calendar web service allows fetching of other users’ action events

Permalink

◀︎ MSA-21-0041: CSRF risk on delete related badge feature
MSA-22-0001: SQL injection risk in code fetching h5p activity user attempts ▶︎

◀︎ Issue Tracker

Jump to…

Social media ▶︎

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

10 months ago

10 months ago

10 months ago

10 months ago

10 months ago