ByteOS Network

CVE Vulnerability Details :

CVE-2024-3932

PUBLISHED

More Info Official Page

Assigner-VulDB

Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5

Published At-18 Apr, 2024 | 00:00

Updated At-11 Jun, 2025 | 13:59

▼CVE Numbering Authority (CNA)

Totara LMS User Selector cross-site request forgery

A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component.

Affected Products

Vendor

Totara

Product

LMS

Modules

User Selector

Versions

Affected

13.0
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.10
13.11
13.12
13.13
13.14
13.15
13.16
13.17
13.18
13.19
13.20
13.21
13.22
13.23
13.24
13.25
13.26
13.27
13.28
13.29
13.30
13.31
13.32
13.33
13.34
13.35
13.36
13.37
13.38
13.39
13.40
13.41
13.42
13.43
13.44
13.45
14.0
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
14.10
14.11
14.12
14.13
14.14
14.15
14.16
14.17
14.18
14.19
14.20
14.21
14.22
14.23
14.24
14.25
14.26
14.27
14.28
14.29
14.30
14.31
14.32
14.33
14.34
14.35
14.36
14.37
15.0
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.8
15.9
15.10
15.11
15.12
15.13
15.14
15.15
15.16
15.17
15.18
15.19
15.20
15.21
15.22
15.23
15.24
15.25
15.26
15.27
15.28
15.29
15.30
15.31
15.32
16.0
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
16.14
16.15
16.16
16.17
16.18
16.19
16.20
16.21
16.22
16.23
16.24
16.25
16.26
17.0
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
17.10
17.11
17.12
17.13
17.14
17.15
17.16
17.17
17.18
17.19
17.20
18.0
18.1
18.2
18.3
18.4
18.5
18.6
18.7

Unaffected

13.46
14.38
15.33
16.27
17.21
18.8

Problem Types

Type	CWE ID	Description
CWE	CWE-352	Cross-Site Request Forgery
CWE	CWE-862	Missing Authorization

Type: CWE

CWE ID: CWE-352

Description: Cross-Site Request Forgery

Type: CWE

CWE ID: CWE-862

Description: Missing Authorization

Metrics

Version	Base score	Base severity	Vector
4.0	2.3	LOW	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
3.1	3.1	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
3.0	3.1	LOW	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
2.0	2.6	N/A	AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C

Version: 4.0

Base score: 2.3

Base severity: LOW

Vector:

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Version: 3.1

Base score: 3.1

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

Version: 3.0

Base score: 3.1

Base severity: LOW

Vector:

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

Version: 2.0

Base score: 2.6

Base severity: N/A

Vector:

AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C

Timeline

Event	Date
Advisory disclosed	2024-04-17 00:00:00
CVE reserved	2024-04-17 00:00:00
VulDB entry created	2024-04-17 02:00:00
VulDB entry last update	2025-06-11 16:04:14

Event: Advisory disclosed

Date: 2024-04-17 00:00:00

Event: CVE reserved

Date: 2024-04-17 00:00:00

Event: VulDB entry created

Date: 2024-04-17 02:00:00

Event: VulDB entry last update

Date: 2025-06-11 16:04:14

References

Hyperlink	Resource
https://vuldb.com/?id.261369	vdb-entry technical-description
https://vuldb.com/?ctiid.261369	signature permissions-required
https://vuldb.com/?submit.314381	third-party-advisory
https://totara.community/mod/forum/discuss.php?d=27644	related

Hyperlink: https://vuldb.com/?id.261369

Resource:

vdb-entry

technical-description

Hyperlink: https://vuldb.com/?ctiid.261369

Resource:

signature

permissions-required

Hyperlink: https://vuldb.com/?submit.314381

Resource:

third-party-advisory

Hyperlink: https://totara.community/mod/forum/discuss.php?d=27644

Resource:

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Affected Products

Vendor

totara

Product

enterprise_lms

CPEs

cpe:2.3:a:totara:enterprise_lms:*:*:*:*:*:*:*:*

Default Status

unknown

Versions

Affected

From 0 through 18.0.1 Build 20231128.01 (custom)

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://vuldb.com/?id.261369	vdb-entry x_transferred
https://vuldb.com/?ctiid.261369	signature permissions-required x_transferred
https://vuldb.com/?submit.314381	third-party-advisory x_transferred

Hyperlink: https://vuldb.com/?id.261369

Resource:

vdb-entry

x_transferred

Hyperlink: https://vuldb.com/?ctiid.261369

Resource:

signature

permissions-required

x_transferred

Hyperlink: https://vuldb.com/?submit.314381

Resource:

third-party-advisory

x_transferred

Affected Products

Affected

Unaffected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Affected

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References