CVE-2024-43429 is a vulnerability identified in Moodle, a widely used open-source learning management system, affecting versions 0 through 4.4. The flaw arises because certain hidden user profile fields, which are intended to be restricted and visible only to users with the 'view hidden user fields' capability, are inadvertently exposed in gradebook reports. This improper access control means that users lacking the necessary permissions can view sensitive profile information that should remain confidential. The vulnerability is classified under CWE-312, indicating exposure of sensitive information due to improper access restrictions. The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the vulnerability is remotely exploitable without authentication or user interaction, impacts confidentiality to a limited degree, and does not affect integrity or availability. No known exploits have been reported in the wild, but the exposure of hidden profile fields could lead to privacy violations and potential data leakage within educational environments. Moodle's gradebook reports are commonly accessed by educators and administrators, so the flaw could allow unauthorized users to glean sensitive data about other users, such as personal identifiers or private notes, depending on what hidden fields are configured. This vulnerability highlights the importance of strict access control enforcement in LMS platforms to protect user privacy.

The primary impact of CVE-2024-43429 is the unauthorized disclosure of sensitive user profile information within Moodle's gradebook reports. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can undermine user privacy and trust, especially in educational settings where personal data protection is critical. Exposure of hidden fields could reveal personally identifiable information (PII), academic records, or other sensitive metadata, potentially leading to privacy violations or targeted social engineering attacks. Organizations relying on Moodle for education and training may face compliance risks with data protection regulations such as GDPR or FERPA if sensitive data is leaked. The ease of exploitation—requiring no authentication or user interaction—means that any user with access to the gradebook reports could potentially view restricted information, increasing the risk surface. While no active exploits are known, the vulnerability's presence in widely deployed Moodle versions means many institutions worldwide could be affected until patched.

To mitigate CVE-2024-43429, organizations should immediately review and restrict access permissions to gradebook reports, ensuring only trusted users with appropriate roles can view sensitive data. Administrators should audit user capabilities, specifically the 'view hidden user fields' permission, and verify that it is granted only to authorized personnel. Monitoring and logging access to gradebook reports can help detect unauthorized attempts to view hidden fields. Since no official patches are currently listed, organizations should stay alert for Moodle security updates addressing this issue and apply them promptly once available. As a temporary measure, consider disabling or limiting the use of hidden user profile fields in gradebook reports if feasible. Additionally, educating staff and users about the sensitivity of profile data and enforcing strong internal data handling policies will reduce the risk of inadvertent exposure. Finally, organizations should conduct regular security assessments of their Moodle deployment to identify and remediate similar access control weaknesses.