CVE-2023-5545 - Vulnerability Details - OpenCVE

H5P metadata automatically populated the author with the user's username, which could be sensitive information.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00277.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject Subscribe	Extra Packages For Enterprise Linux Subscribe Fedora Subscribe
Moodle Subscribe	Moodle Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

Configuration 2 [-]

OR	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2842	H5P metadata automatically populated the author with the user's username, which could be sensitive information.
Github GHSA	GHSA-26fg-v32r-h663	Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820
https://bugzilla.redhat.com/show_bug.cgi?id=2243444
https://moodle.org/mod/forum/discuss.php?d=451586

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2023-11-09T19:33:18.127Z

Updated: 2024-08-02T07:59:44.795Z

Reserved: 2023-10-12T00:18:04.007Z

Link: CVE-2023-5545

Vulnrichment

Updated: 2024-08-02T07:59:44.795Z

NVD

Status : Modified

Published: 2023-11-09T20:15:09.850

Modified: 2024-11-21T08:41:58.907

Link: CVE-2023-5545

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5545", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2023-10-12T00:18:04.007Z", "datePublished": "2023-11-09T19:33:18.127Z", "dateUpdated": "2024-08-02T07:59:44.795Z"}, "containers": {"cna": {"title": "Moodle: auto-populated h5p author name causes a potential information leak", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "H5P metadata automatically populated the author with the user's username, which could be sensitive information."}], "affected": [{"versions": [{"status": "affected", "version": "4.2.0", "lessThan": "4.2.3", "versionType": "semver"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.6", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.11", "versionType": "semver"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.17", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.9.24", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444", "name": "RHBZ#2243444", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=451586"}], "datePublic": "2023-10-16T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "timeline": [{"lang": "en", "time": "2023-10-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-16T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:47:42.679Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5545", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T19:58:29.250008Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:moodle:h5p:4.1:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "4.1"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:4.2:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "4.2"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:4.0:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "4.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:3.11:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "3.11"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:3.9:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "3.9"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:28:46.075Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.795Z"}, "title": "CVE Program Container", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444", "name": "RHBZ#2243444", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=451586", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444", "name": "RHBZ#2243444", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=451586", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.795Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5545", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T19:58:29.250008Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:moodle:h5p:4.1:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "4.1"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:4.2:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "4.2"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:4.0:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "4.0"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:3.11:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "3.11"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:moodle:h5p:3.9:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "h5p", "versions": [{"status": "affected", "version": "3.9"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T20:09:14.813Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Moodle: auto-populated h5p author name causes a potential information leak", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "4.2.0", "lessThan": "4.2.3", "versionType": "semver"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.6", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.11", "versionType": "semver"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.17", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.9.24", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-10-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-16T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-10-16T00:00:00+00:00", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444", "name": "RHBZ#2243444", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=451586"}], "descriptions": [{"lang": "en", "value": "H5P metadata automatically populated the author with the user's username, which could be sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:47:42.679Z"}, "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}}, "cveMetadata": {"cveId": "CVE-2023-5545", "state": "PUBLISHED", "dateUpdated": "2024-08-02T07:59:44.795Z", "dateReserved": "2023-10-12T00:18:04.007Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2023-11-09T19:33:18.127Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2A8D2D9-48FE-417F-8062-65794AA65706", "versionEndExcluding": "3.9.24", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C058D38-D206-4BEC-B647-4CD1808A1FC8", "versionEndExcluding": "3.11.17", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "4827B277-0EC2-4254-B6DF-F18475A6253C", "versionEndExcluding": "4.0.11", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "E660C47C-2CB3-4B06-B98A-F8EE211F798A", "versionEndExcluding": "4.1.6", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "C65020B8-B78E-4B59-B894-3F223D769078", "versionEndExcluding": "4.2.3", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "3D9C7598-4BB4-442A-86DF-EEDE041A4CC7", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "H5P metadata automatically populated the author with the user's username, which could be sensitive information."}, {"lang": "es", "value": "Los metadatos de H5P completaron autom\u00e1ticamente al autor con el nombre de usuario del usuario, que podr\u00eda ser informaci\u00f3n confidencial."}], "id": "CVE-2023-5545", "lastModified": "2024-11-21T08:41:58.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-09T20:15:09.850", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820"}, {"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444"}, {"source": "patrick@puiterwijk.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=451586"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78820"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243444"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=451586"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}