CVE-2021-43560 — Moodle Insecure direct object reference (IDOR) in a calendar web service

Description

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. Insufficient capability checks made it possible to fetch other users' calendar action events.

How to fix CVE-2021-43560

To remediate CVE-2021-43560, upgrade the affected package to a fixed version below.

—upgrade to 3.8.9 or later
—upgrade to 3.9.11 or later

Is CVE-2021-43560 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
>= 3.9, < 3.9.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43560
PATCHgithub.com/moodle/moodle
WEBbugzilla.redhat.com/show_bug.cgi?id=2021519
WEBmoodle.org/mod/forum/discuss.php?d=429100