CVE-2024-38277: Moodle uses the same key for QR login and auto-login
A unique key should be generated for a user’s QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
References
- github.com/advisories/GHSA-r82w-3phg-qvr4
- github.com/moodle/moodle
- github.com/moodle/moodle/commit/0caedaab7cd5a46331d56654ce9301b0a5a04c56
- github.com/moodle/moodle/commit/1aea4a15281d81f2414a95aa485b8a6551708f57
- github.com/moodle/moodle/commit/ad46a97f5355f0451d52e9f1a0f528d9a6f12e06
- github.com/moodle/moodle/commit/d05795db8eece2943241a29a5443fb4685ba6070
- moodle.org/mod/forum/discuss.php?d=459502
- nvd.nist.gov/vuln/detail/CVE-2024-38277
Code Behaviors & Features
Detect and mitigate CVE-2024-38277 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →