CVE-2022-45149, GHSA-8v23-w4w5-w83c
packagist/moodle/moodle
Cross-Site Request Forgery (CSRF)
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.
All versions starting from 3.9.0 before 3.9.18, all versions starting from 3.11.0 before 3.11.11, all versions starting from 4.0.0 before 4.0.5
Upgrade to versions 3.9.18, 3.11.11, 4.0.5 or above.
2022-11-24
source |