Base Score

MEDIUM6.2

CVE-2024-33996

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to.

VectorNETWORK

Published Bypatrick@puiterwijk.org

Published DateMay 31, 2024, 20:15

Affected Versions(3)

moodle/moodle(Packagist)

Introduced4.3.0

Fixed4.3.4

LimitN/A

moodle/moodle(Packagist)

Introduced4.2.0

Fixed4.2.7

LimitN/A

moodle/moodle(Packagist)

Introduced0

Fixed4.1.10

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
moodle/moodle(Packagist)	4.3.0	4.3.4	N/A
moodle/moodle(Packagist)	4.2.0	4.2.7	N/A
moodle/moodle(Packagist)	0	4.1.10	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

6.2

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE

References

https://moodle.org/mod/forum/discuss.php?d=458384#p1840909

Base Score

MEDIUM6.2

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

6.2

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

NONE