CVE-2024-45691: 
PHP vulnerability analysis and mitigation

A security vulnerability (CVE-2024-45691) was identified in Moodle affecting the lesson activity password functionality. The vulnerability allows certain passwords to be bypassed or become less secure due to a loose comparison in the password-checking logic. This issue specifically affects passwords that are set to "magic hash" values, where the loose comparison in the code can result in multiple values matching the password instead of requiring an exact match (NVD, Redhat Bugzilla).

The vulnerability stems from a PHP loose comparison implementation in the password-checking logic of Moodle's lesson activity feature. The issue specifically manifests when passwords are set to "magic hash" values, which can cause the system to incorrectly validate multiple password values as valid matches. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability compromises the security of password-protected lesson activities in Moodle by potentially allowing unauthorized access when certain password values are used. This could lead to unauthorized users gaining access to restricted lesson content when the password is set to specific "magic hash" values (Redhat Bugzilla).

The vulnerability has been identified and reported, with fixes being developed. Organizations using Moodle should monitor for updates and apply them when available. In the meantime, administrators should avoid using passwords that could be interpreted as "magic hash" values for lesson activities (Moodle Security).