Lucene search

GitHub Advisory DatabaseGHSA-7PJP-FM93-P6PJ

HistoryFeb 19, 2024 - 6:31 p.m.

Cross-Site Request Forgery in moodle

2024-02-1918:31:32

CWE-352

GitHub Advisory Database

github.com

cross-site request forgery

moodle

language packs

csrf risk

software

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

Affected configurations

Vulners

Node

moodlemoodleRange<4.1.9

moodlemoodleRange4.2.0–4.2.6

moodlemoodleRange4.3.0–4.3.3

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749

bugzilla.redhat.com/show_bug.cgi?id=2264098

github.com/advisories/GHSA-7pjp-fm93-p6pj

github.com/moodle/moodle/commit/bac703c534d05d4502580fbe32447d5c777869bf

lists.fedoraproject.org/archives/list/[email protected]/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB

moodle.org/mod/forum/discuss.php?d=455638

nvd.nist.gov/vuln/detail/CVE-2024-25982

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for GHSA-7PJP-FM93-P6PJ