CVE-2024-3931

Summary

A vulnerability was found in Totara LMS up to 18.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component User Selector. The manipulation of the argument ID Number leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 and 18.8 is able to address this issue. It is recommended to upgrade the affected component.

Affected Software

VendorProductVersion RangeStatus
TotaraLMS13.0affected
TotaraLMS13.1affected
TotaraLMS13.2affected
TotaraLMS13.3affected
TotaraLMS13.4affected
TotaraLMS13.5affected
TotaraLMS13.6affected
TotaraLMS13.7affected
TotaraLMS13.8affected
TotaraLMS13.9affected
TotaraLMS13.10affected
TotaraLMS13.11affected
TotaraLMS13.12affected
TotaraLMS13.13affected
TotaraLMS13.14affected
TotaraLMS13.15affected
TotaraLMS13.16affected
TotaraLMS13.17affected
TotaraLMS13.18affected
TotaraLMS13.19affected
TotaraLMS13.20affected
TotaraLMS13.21affected
TotaraLMS13.22affected
TotaraLMS13.23affected
TotaraLMS13.24affected
TotaraLMS13.25affected
TotaraLMS13.26affected
TotaraLMS13.27affected
TotaraLMS13.28affected
TotaraLMS13.29affected
TotaraLMS13.30affected
TotaraLMS13.31affected
TotaraLMS13.32affected
TotaraLMS13.33affected
TotaraLMS13.34affected
TotaraLMS13.35affected
TotaraLMS13.36affected
TotaraLMS13.37affected
TotaraLMS13.38affected
TotaraLMS13.39affected
TotaraLMS13.40affected
TotaraLMS13.41affected
TotaraLMS13.42affected
TotaraLMS13.43affected
TotaraLMS13.44affected
TotaraLMS13.45affected
TotaraLMS14.0affected
TotaraLMS14.1affected
TotaraLMS14.2affected
TotaraLMS14.3affected
TotaraLMS14.4affected
TotaraLMS14.5affected
TotaraLMS14.6affected
TotaraLMS14.7affected
TotaraLMS14.8affected
TotaraLMS14.9affected
TotaraLMS14.10affected
TotaraLMS14.11affected
TotaraLMS14.12affected
TotaraLMS14.13affected
TotaraLMS14.14affected
TotaraLMS14.15affected
TotaraLMS14.16affected
TotaraLMS14.17affected
TotaraLMS14.18affected
TotaraLMS14.19affected
TotaraLMS14.20affected
TotaraLMS14.21affected
TotaraLMS14.22affected
TotaraLMS14.23affected
TotaraLMS14.24affected
TotaraLMS14.25affected
TotaraLMS14.26affected
TotaraLMS14.27affected
TotaraLMS14.28affected
TotaraLMS14.29affected
TotaraLMS14.30affected
TotaraLMS14.31affected
TotaraLMS14.32affected
TotaraLMS14.33affected
TotaraLMS14.34affected
TotaraLMS14.35affected
TotaraLMS14.36affected
TotaraLMS14.37affected
TotaraLMS15.0affected
TotaraLMS15.1affected
TotaraLMS15.2affected
TotaraLMS15.3affected
TotaraLMS15.4affected
TotaraLMS15.5affected
TotaraLMS15.6affected
TotaraLMS15.7affected
TotaraLMS15.8affected
TotaraLMS15.9affected
TotaraLMS15.10affected
TotaraLMS15.11affected
TotaraLMS15.12affected
TotaraLMS15.13affected
TotaraLMS15.14affected
TotaraLMS15.15affected
TotaraLMS15.16affected
TotaraLMS15.17affected
TotaraLMS15.18affected
TotaraLMS15.19affected
TotaraLMS15.20affected
TotaraLMS15.21affected
TotaraLMS15.22affected
TotaraLMS15.23affected
TotaraLMS15.24affected
TotaraLMS15.25affected
TotaraLMS15.26affected
TotaraLMS15.27affected
TotaraLMS15.28affected
TotaraLMS15.29affected
TotaraLMS15.30affected
TotaraLMS15.31affected
TotaraLMS15.32affected
TotaraLMS16.0affected
TotaraLMS16.1affected
TotaraLMS16.2affected
TotaraLMS16.3affected
TotaraLMS16.4affected
TotaraLMS16.5affected
TotaraLMS16.6affected
TotaraLMS16.7affected
TotaraLMS16.8affected
TotaraLMS16.9affected
TotaraLMS16.10affected
TotaraLMS16.11affected
TotaraLMS16.12affected
TotaraLMS16.13affected
TotaraLMS16.14affected
TotaraLMS16.15affected
TotaraLMS16.16affected
TotaraLMS16.17affected
TotaraLMS16.18affected
TotaraLMS16.19affected
TotaraLMS16.20affected
TotaraLMS16.21affected
TotaraLMS16.22affected
TotaraLMS16.23affected
TotaraLMS16.24affected
TotaraLMS16.25affected
TotaraLMS16.26affected
TotaraLMS17.0affected
TotaraLMS17.1affected
TotaraLMS17.2affected
TotaraLMS17.3affected
TotaraLMS17.4affected
TotaraLMS17.5affected
TotaraLMS17.6affected
TotaraLMS17.7affected
TotaraLMS17.8affected
TotaraLMS17.9affected
TotaraLMS17.10affected
TotaraLMS17.11affected
TotaraLMS17.12affected
TotaraLMS17.13affected
TotaraLMS17.14affected
TotaraLMS17.15affected
TotaraLMS17.16affected
TotaraLMS17.17affected
TotaraLMS17.18affected
TotaraLMS17.19affected
TotaraLMS17.20affected
TotaraLMS18.0affected
TotaraLMS18.1affected
TotaraLMS18.2affected
TotaraLMS18.3affected
TotaraLMS18.4affected
TotaraLMS18.5affected
TotaraLMS18.6affected
TotaraLMS18.7affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References