CVE-2021-36396

Moodle vulnerable to Server-Side Request Forgery in packagist/moodle/moodle

Identifiers

CVE-2021-36396, GHSA-4rmj-w58m-fvch

Package Slug

packagist/moodle/moodle

Vulnerability

Moodle vulnerable to Server-Side Request Forgery

Description

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

Affected Versions

All versions before 3.9.8, all versions starting from 3.10.0 before 3.10.5, all versions starting from 3.11.0-beta before 3.11.1

Solution

Upgrade to versions 3.9.8, 3.10.5, 3.11.1 or above.

Last Modified

2023-03-08

source