CVE-2024-38277
CVE-2024-38277 is a medium-severity vulnerability in Moodle with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-324.
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 0% (15th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-2156
- Weakness: CWE-324
- Affected product: Moodle
- Published:
- Last modified:
Description
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
Frequently asked questions
- What is CVE-2024-38277?
- A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
- How severe is CVE-2024-38277?
- CVE-2024-38277 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2024-38277 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (15th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-38277?
- CVE-2024-38277 primarily affects Moodle. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-38277?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-38277 have an EU (EUVD) identifier?
- Yes. CVE-2024-38277 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2156.
- When was CVE-2024-38277 published?
- CVE-2024-38277 was published on 2024-06-18 and last updated on 2026-06-17.
References
- https://lists.fedoraproject.org/archives/list/[email protected]/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/
- https://moodle.org/mod/forum/discuss.php?d=459502
Affected products (4)
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
More vulnerabilities in Moodle
- CVE-2006-4936 — Critical (CVSS 10.0): Moodle before 1.6.2 does not properly validate the module instance id when creating a course module object, which has…
- CVE-2006-4935 — Critical (CVSS 10.0): The Database module in Moodle before 1.6.2 does not properly handle uploaded files, which has unspecified impact and…
- CVE-2005-2247 — Critical (CVSS 10.0): Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors.
- CVE-2004-2233 — Critical (CVSS 10.0): Unknown "front page vulnerability with Moodle servers" for Moodle before 1.3.2 has unknown impact and attack vectors.
- CVE-2004-2236 — Critical (CVSS 10.0): Unknown vulnerability in Moodle before 1.3.3 has unknown impact and attack vectors, related to language setting.
- CVE-2004-2237 — Critical (CVSS 10.0): Unknown vulnerability in Moodle before 1.3.4 has unknown impact and attack vectors, related to "strings in Moodle…
Other CWE-324 vulnerabilities
- CVE-2024-36031 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on…
- CVE-2025-31123 — High (CVSS 8.7): Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to…
- CVE-2025-2291 — High (CVSS 8.1): Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value,…
- CVE-2026-52809 — Medium (CVSS 6.8): Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using…
- CVE-2024-25679 — Medium (CVSS 6.5): In PQUIC before 5bde5bb, retention of unused initial encryption keys allows attackers to disrupt a connection with a…
- CVE-2025-33012 — Medium (CVSS 6.3): IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux…