CVE-2022-45149

Cross-Site Request Forgery (CSRF) in packagist/moodle/moodle

Identifiers

CVE-2022-45149, GHSA-8v23-w4w5-w83c

Package Slug

packagist/moodle/moodle

Vulnerability

Cross-Site Request Forgery (CSRF)

Description

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

Affected Versions

All versions starting from 3.9.0 before 3.9.18, all versions starting from 3.11.0 before 3.11.11, all versions starting from 4.0.0 before 4.0.5

Solution

Upgrade to versions 3.9.18, 3.11.11, 4.0.5 or above.

Last Modified

2022-11-24

source