CVE-2024-3932 - OpenCVE

A vulnerability classified as problematic has been found in Totara LMS 18.0.1 Build 20231128.01. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261369 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://vuldb.com/?ctiid.261369
https://vuldb.com/?id.261369
https://vuldb.com/?submit.314381

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2024-04-18T00:00:06.007Z

Updated: 2024-08-01T20:26:57.195Z

Reserved: 2024-04-17T16:57:38.876Z

Link: CVE-2024-3932

Vulnrichment

Updated: 2024-08-01T20:26:57.195Z

NVD

Status : Awaiting Analysis

Published: 2024-04-18T00:15:08.033

Modified: 2024-06-06T20:15:14.030

Link: CVE-2024-3932

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3932", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-04-17T16:57:38.876Z", "datePublished": "2024-04-18T00:00:06.007Z", "dateUpdated": "2024-08-01T20:26:57.195Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-18T00:00:06.007Z"}, "title": "Totara LMS cross-site request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery"}]}], "affected": [{"vendor": "Totara", "product": "LMS", "versions": [{"version": "18.0.1 Build 20231128.01", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Totara LMS 18.0.1 Build 20231128.01. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261369 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Totara LMS 18.0.1 Build 20231128.01 entdeckt. Sie wurde als problematisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf. Durch das Beeinflussen mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "timeline": [{"time": "2024-04-17T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-04-17T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-04-17T19:03:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.261369", "name": "VDB-261369 | Totara LMS cross-site request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.261369", "name": "VDB-261369 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.314381", "name": "Submit #314381 | Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation", "tags": ["third-party-advisory"]}]}, "adp": [{"affected": [{"vendor": "totara", "product": "enterprise_lms", "cpes": ["cpe:2.3:a:totara:enterprise_lms:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "18.0.1 Build 20231128.01", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-22T18:59:52.785734Z", "id": "CVE-2024-3932", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:45:28.429Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.195Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.261369", "name": "VDB-261369 | Totara LMS cross-site request forgery", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.261369", "name": "VDB-261369 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.314381", "name": "Submit #314381 | Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation", "tags": ["third-party-advisory", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.261369", "name": "VDB-261369 | Totara LMS cross-site request forgery", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.261369", "name": "VDB-261369 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://vuldb.com/?submit.314381", "name": "Submit #314381 | Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:26:57.195Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3932", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T18:59:52.785734Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:totara:enterprise_lms:*:*:*:*:*:*:*:*"], "vendor": "totara", "product": "enterprise_lms", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "18.0.1 Build 20231128.01"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T18:59:13.287Z"}}], "cna": {"title": "Totara LMS cross-site request forgery", "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "affected": [{"vendor": "Totara", "product": "LMS", "versions": [{"status": "affected", "version": "18.0.1 Build 20231128.01"}]}], "timeline": [{"lang": "en", "time": "2024-04-17T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-04-17T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-04-17T19:03:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.261369", "name": "VDB-261369 | Totara LMS cross-site request forgery", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.261369", "name": "VDB-261369 | CTI Indicators (IOB, IOC)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.314381", "name": "Submit #314381 | Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Totara LMS 18.0.1 Build 20231128.01. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261369 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in Totara LMS 18.0.1 Build 20231128.01 entdeckt. Sie wurde als problematisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf. Durch das Beeinflussen mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-04-18T00:00:06.007Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3932", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:26:57.195Z", "dateReserved": "2024-04-17T16:57:38.876Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-04-18T00:00:06.007Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in Totara LMS 18.0.1 Build 20231128.01. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261369 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Totara LMS 18.0.1 Build 20231128.01 y clasificada como problem\u00e1tica. Esto afecta a una parte desconocida. La manipulaci\u00f3n conduce a Cross-Site Request Forgery. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-261369. NOTA: Se contact\u00f3 primeramente con el proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2024-3932", "lastModified": "2024-06-06T20:15:14.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-04-18T00:15:08.033", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.261369"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.261369"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.314381"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "cna@vuldb.com", "type": "Primary"}]}