CVE-2023-23923 - Vulnerability Details - OpenCVE

The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00432.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle Subscribe	Moodle Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:4.1.0:-::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0605	The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
Github GHSA	GHSA-32jc-9p58-p82x	Moodle Improper Access Control vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862
https://bugzilla.redhat.com/show_bug.cgi?id=2162549
https://moodle.org/mod/forum/discuss.php?d=443274#p1782023

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2023-02-17T00:00:00

Updated: 2024-08-02T10:42:27.150Z

Reserved: 2023-01-19T00:00:00

Link: CVE-2023-23923

Vulnrichment

Updated: 2024-08-02T10:42:27.150Z

NVD

Status : Modified

Published: 2023-02-17T20:15:11.940

Modified: 2024-11-21T07:47:06.500

Link: CVE-2023-23923

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-23923", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "assignerShortName": "fedora", "dateUpdated": "2024-08-02T10:42:27.150Z", "dateReserved": "2023-01-19T00:00:00", "datePublished": "2023-02-17T00:00:00"}, "containers": {"cna": {"title": "Moodle: possible to set the preferred \"start page\" of other users", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}], "descriptions": [{"lang": "en", "value": "The vulnerability was found Moodle which exists due to insufficient limitations on the \"start page\" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality."}], "affected": [{"versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.1", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "semver"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.12", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.9.19", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162549"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=443274#p1782023"}], "datePublic": "2023-01-23T04:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-284: Improper Access Control", "timeline": [{"lang": "en", "time": "2023-01-19T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-01-23T04:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Upstream acknowledges Paul Holden as the original reporter."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:37:51.789Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-23923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-19T18:21:47.320393Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:22:24.787Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:27.150Z"}, "title": "CVE Program Container", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162549", "tags": ["x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=443274#p1782023", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162549", "tags": ["x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=443274#p1782023", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:42:27.150Z"}}, {"metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-23923", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-19T18:21:47.320393Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-19T18:21:08.902Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Moodle: possible to set the preferred \"start page\" of other users", "credits": [{"lang": "en", "value": "Upstream acknowledges Paul Holden as the original reporter."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}], "affected": [{"versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.1", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.6", "versionType": "semver"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.12", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.9.19", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-01-19T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-01-23T04:00:00+00:00", "value": "Made public."}], "datePublic": "2023-01-23T04:00:00+00:00", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162549"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=443274#p1782023"}], "descriptions": [{"lang": "en", "value": "The vulnerability was found Moodle which exists due to insufficient limitations on the \"start page\" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:37:51.789Z"}, "x_redhatCweChain": "CWE-284: Improper Access Control"}}, "cveMetadata": {"cveId": "CVE-2023-23923", "state": "PUBLISHED", "dateUpdated": "2024-08-02T10:42:27.150Z", "dateReserved": "2023-01-19T00:00:00", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2023-02-17T00:00:00", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EF7672C-DBD1-49E5-8005-17CC6ACA0F83", "versionEndExcluding": "3.9.19", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "C162F159-0BA5-4ECA-85AD-364554A07AAA", "versionEndExcluding": "3.11.12", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4481A07-1EB0-46C5-9015-E02A705C1A8F", "versionEndExcluding": "4.0.6", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "D2B926AF-E5E5-466B-B507-99F995EA25F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability was found Moodle which exists due to insufficient limitations on the \"start page\" preference. A remote attacker can set that preference for another user. The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality."}], "id": "CVE-2023-23923", "lastModified": "2024-11-21T07:47:06.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-17T20:15:11.940", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862"}, {"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162549"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=443274#p1782023"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76862"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162549"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=443274#p1782023"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}