CVE-2024-48896
Moodle: users' names returned in messaging error message
4.3
MEDIUM
CVSS 3.1
EPSS 0.31%
Description
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
How to fix CVE-2024-48896
To remediate CVE-2024-48896, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.19 or later
- —upgrade to 4.1.14 or later
Is CVE-2024-48896 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.1.19, >= 4.2.0, < 4.4.9
- from 0, < 4.1.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |