CVE-2024-38277: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in Moodle affecting versions 4.4, 4.3 to 4.3.4, 4.2 to 4.2.7, 4.1 to 4.1.10 and earlier unsupported versions, where QR login keys and auto-login keys were not properly separated. The vulnerability was reported by Juan Leyva and assigned CVE-2024-38277. The issue was fixed in versions 4.4.1, 4.3.5, 4.2.8, and 4.1.11, released in June 2024 (Moodle Forum).

The vulnerability stems from the system not generating unique keys for a user's QR login functionality and auto-login functionality, allowing the same key to be used interchangeably between the two authentication methods. The severity was assessed as MEDIUM with a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). The weakness was classified under CWE-326 (Inadequate Encryption Strength) and CWE-324 (Use of a Key Past its Expiration Date) (NVD).

The vulnerability could potentially allow an attacker to use a key intended for one authentication method (QR login) with another authentication method (auto-login) or vice versa, potentially compromising the security of the authentication system (Moodle Forum).

The vulnerability has been fixed in Moodle versions 4.4.1, 4.3.5, 4.2.8, and 4.1.11. Users are advised to upgrade to these patched versions. The fix ensures that unique keys are generated separately for QR login and auto-login functionalities (Fedora Update).