Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key
Vulnerability Description
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Custom certificate activity 安全漏洞
Vulnerability Description
Custom certificate activity是Mark Nelson个人开发者的一个动态生成可定制PDF证书的插件。 Custom certificate activity 4.4.9之前版本和5.0.3之前版本存在安全漏洞,该漏洞源于core_get_fragment回调和mod_customcert_save_element Web服务未验证提供的elementid是否属于授权上下文,可能导致跨课程信息泄露和数据篡改。
CVSS Information
N/A
Vulnerability Type
N/A