CVE-2024-48900: 
PHP vulnerability analysis and mitigation

A vulnerability was identified in Moodle related to insufficient access control for badge recipients lists. The vulnerability, tracked as CVE-2024-48900, was discovered and disclosed in October 2024. The issue affects Moodle's badge system where users with permission to view badge recipients could potentially access lists beyond their intended access scope (NVD, CVE).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and has been assigned CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability requires low attack complexity and low privileges to exploit (NVD).

The vulnerability could allow authenticated users with badge recipient viewing permissions to access badge recipient lists that they should not have access to, potentially exposing sensitive user information beyond the intended scope (Red Hat Bugzilla).

Additional security checks have been implemented to ensure users with permission to view badge recipients can only access lists they are intended to have access to. System administrators should apply the appropriate updates when available (CVE).