Vulnerability Bulletins

MSA-23-0009: Users name enumeration possible via IDOR on learning plans page

System information
   
Affected software PHP

Description
by Michael Hawkins. Authenticated users were able to enumerate other users names via the learning plans page.Severity/Risk:MinorVersions affected:4.1 to 4.1.1 and 4.0 to 4.0.6Versions fixed:4.1.2 and 4.0.7Reported by:Paul HoldenCVE identifier:CVE-2023-28334Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77129Tracker issue:MDL-77129 Users name enumeration possible via IDOR on learning plans page

More info:

https://moodle.org/mod/forum/discuss.php?d=445066&parent=1788899

Standar resources
Property Value
CVE CVE-2023-28334.

Version history
Version Comments Date
1.0 Advisory issued 2023-03-21
Ministerio de Defensa
CNI
CCN
CCN-CERT