Lucene search

GoogleOSV:GHSA-7PJP-FM93-P6PJ

HistoryFeb 19, 2024 - 6:31 p.m.

Cross-Site Request Forgery in moodle

2024-02-1918:31:32

Google

osv.dev

cross-site request forgery

moodle

update link

language packs

csrf

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

15.5%

JSON

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749

bugzilla.redhat.com/show_bug.cgi?id=2264098

github.com/moodle/moodle

github.com/moodle/moodle/commit/bac703c534d05d4502580fbe32447d5c777869bf

lists.fedoraproject.org/archives/list/[email protected]/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB

moodle.org/mod/forum/discuss.php?d=455638

nvd.nist.gov/vuln/detail/CVE-2024-25982

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for OSV:GHSA-7PJP-FM93-P6PJ