CVE-2024-45691 - Vulnerability Details - OpenCVE

A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2309940
https://moodle.org/security/

History

Mon, 02 Jun 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Moodle Moodle moodle
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:moodle:moodle::::::::
Vendors & Products		Moodle Moodle moodle

Wed, 20 Nov 2024 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 20 Nov 2024 10:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.
Title		Moodle: lesson activity password bypass through php loose comparison
References		https://bugzilla.redhat.com/show_bug.cgi?id=2309940 https://moodle.org/security/

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2024-11-20T10:25:30.380Z

Updated: 2024-11-20T19:17:19.480Z

Reserved: 2024-09-04T22:00:30.976Z

Link: CVE-2024-45691

Vulnrichment

Updated: 2024-11-20T19:17:11.524Z

NVD

Status : Analyzed

Published: 2024-11-20T11:15:05.490

Modified: 2025-06-02T15:35:23.890

Link: CVE-2024-45691

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45691", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2024-09-04T22:00:30.976Z", "datePublished": "2024-11-20T10:25:30.380Z", "dateUpdated": "2024-11-20T19:17:19.480Z"}, "containers": {"cna": {"title": "Moodle: lesson activity password bypass through php loose comparison", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to \"magic hash\" values."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.1.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.10", "versionType": "semver"}, {"status": "affected", "version": "4.3", "lessThan": "4.3.7", "versionType": "semver"}, {"status": "affected", "version": "4.4", "lessThan": "4.4.3", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle", "defaultStatus": "unaffected"}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309940", "name": "RHBZ#2309940", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/security/"}], "datePublic": "2024-09-09T00:00:00+00:00", "timeline": [{"lang": "en", "time": "2024-09-04T22:12:05.832000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-09T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-11-20T10:25:30.380Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-11-20T19:17:16.356151Z", "id": "CVE-2024-45691", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-20T19:17:19.480Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-45691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-20T19:17:16.356151Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-20T19:17:11.524Z"}}], "cna": {"title": "Moodle: lesson activity password bypass through php loose comparison", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.1.13", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.10", "versionType": "semver"}, {"status": "affected", "version": "4.3", "lessThan": "4.3.7", "versionType": "semver"}, {"status": "affected", "version": "4.4", "lessThan": "4.4.3", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-09-04T22:12:05.832000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-09T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-09-09T00:00:00+00:00", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309940", "name": "RHBZ#2309940", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/security/"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to \"magic hash\" values."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-11-20T10:25:30.380Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45691", "state": "PUBLISHED", "dateUpdated": "2024-11-20T19:17:19.480Z", "dateReserved": "2024-09-04T22:00:30.976Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2024-11-20T10:25:30.380Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFA99B07-9756-4DF8-A807-72D175B485F8", "versionEndExcluding": "4.1.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BA66423-C6E4-4083-A957-D8DAC924FA7D", "versionEndExcluding": "4.2.10", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "22C8E2F5-D5D6-4309-91AB-C5AF23255D2C", "versionEndExcluding": "4.3.7", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CD03E57-232E-442C-B1E0-9C0974006F78", "versionEndExcluding": "4.4.3", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to \"magic hash\" values."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Moodle. Al restringir el acceso a una actividad de lecci\u00f3n con una contrase\u00f1a, ciertas contrase\u00f1as pod\u00edan ser ignoradas o menos seguras debido a una comparaci\u00f3n poco precisa en la l\u00f3gica de verificaci\u00f3n de contrase\u00f1as. Este problema solo afectaba a las contrase\u00f1as configuradas con valores de \"hash m\u00e1gico\"."}], "id": "CVE-2024-45691", "lastModified": "2025-06-02T15:35:23.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-11-20T11:15:05.490", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309940"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/security/"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}