CVE-2021-20281 — Moodle allowed some users without permission to view other users' full names

Description

It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

How to fix CVE-2021-20281

To remediate CVE-2021-20281, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 3.5.17 or later
—upgrade to 3.10.2 or later

Is CVE-2021-20281 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.5.0, < 3.5.17, >= 3.8.0, < 3.8.8, >= 3.9.0, < 3.9.5, >= 3.10.0, < 3.10.2
>= 3.10.0, < 3.10.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-20281
PATCHgithub.com/moodle/moodle
WEBbugzilla.redhat.com/show_bug.cgi?id=1939041
WEBgithub.com/moodle/moodle/commit/33d6017287e1835513a3de8edd3fbf7a6a90af9c