Moodle up to 4.2.2 Forum Summary Report information disclosure

Summaryinfo

A vulnerability labeled as problematic has been found in Moodle up to 3.9.23/3.11.16/4.0.10/4.1.5/4.2.2. Affected by this issue is some unknown functionality of the component Forum Summary Report. Such manipulation leads to information disclosure. This vulnerability is documented as CVE-2023-5551. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Moodle up to 3.9.23/3.11.16/4.0.10/4.1.5/4.2.2 (Learning Management Software). Affected by this issue is an unknown part of the component Forum Summary Report. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality.

The weakness was released 10/26/2023. The advisory is shared for download at moodle.org. This vulnerability is handled as CVE-2023-5551 since 10/12/2023. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability scanner Nessus provides a plugin with the ID 261509 (Linux Distros Unpatched Vulnerability : CVE-2023-5551), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 3.9.24, 3.11.17, 4.0.11, 4.1.6 or 4.2.3 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at git.moodle.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (261509). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Learning Management Software

Name

• Moodle

Version

• 3.9.0
• 3.9.1
• 3.9.2
• 3.9.3
• 3.9.4
• 3.9.5
• 3.9.6
• 3.9.7
• 3.9.8
• 3.9.9
• 3.9.10
• 3.9.11
• 3.9.12
• 3.9.13
• 3.9.14
• 3.9.15
• 3.9.16
• 3.9.17
• 3.9.18
• 3.9.19
• 3.9.20
• 3.9.21
• 3.9.22
• 3.9.23
• 3.11.0
• 3.11.1
• 3.11.2
• 3.11.3
• 3.11.4
• 3.11.5
• 3.11.6
• 3.11.7
• 3.11.8
• 3.11.9
• 3.11.10
• 3.11.11
• 3.11.12
• 3.11.13
• 3.11.14
• 3.11.15
• 3.11.16
• 4.0.0
• 4.0.1
• 4.0.2
• 4.0.3
• 4.0.4
• 4.0.5
• 4.0.6
• 4.0.7
• 4.0.8
• 4.0.9
• 4.0.10
• 4.1.0
• 4.1.1
• 4.1.2
• 4.1.3
• 4.1.4
• 4.1.5
• 4.2.0
• 4.2.1
• 4.2.2

License

• open-source

Website

• Product: https://moodle.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion