Moodle 3.11.x < 3.11.4 Multiple Vulnerabilities

critical Web App Scanning Plugin ID 113615

Synopsis

Moodle 3.11.x < 3.11.4 Multiple Vulnerabilities

Description

The version of Moodle installed on the remote host is 3.9.x prior to 3.9.11, 3.10.x prior to 3.10.8 or 3.11.x prior to 3.11.4. It is, therefore, affected by multiple vulnerabilities:

- A Remote Code Execution when restoring malformed backup files. (CVE-2021-3943)

- A vulnerable version of mlbackend python library included in Moodle.

- A Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization in or an URL parameter in the filetype site administrator tool. (CVE-2021-43558)

- A Cross-Site Request Forgery (CSRF) vulnerability due to the lack of token check in the 'delete related badge' functionality. (CVE-2021-43559)

- An Insecure Direct Object Reference (IDOR) vulnerability allowing users to fetch other users calendar action events. (CVE-2021-43560)

Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.

Solution

Upgrade to version 3.11.4 or later.

See Also

https://moodle.org/mod/forum/discuss.php?d=429095#p1726798

https://moodle.org/mod/forum/discuss.php?d=429096#p1726799

https://moodle.org/mod/forum/discuss.php?d=429097#p1726802

https://moodle.org/mod/forum/discuss.php?d=429099#p1726805

https://moodle.org/mod/forum/discuss.php?d=429100#p1726807

Plugin Details

Severity: Critical

ID: 113615

Type: remote

Published: 2/20/2023

Updated: 3/14/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-3943

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2021-3943

Vulnerability Information

CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Patch Publication Date: 11/15/2021

Vulnerability Publication Date: 11/15/2021

Reference Information

CVE: CVE-2021-3943, CVE-2021-43558, CVE-2021-43559, CVE-2021-43560

CWE: 20, 264, 352, 668, 79, 863, 94

OWASP: 2010-A1, 2010-A2, 2010-A4, 2010-A5, 2010-A8, 2013-A1, 2013-A3, 2013-A4, 2013-A7, 2013-A8, 2013-A9, 2017-A1, 2017-A5, 2017-A7, 2017-A9, 2021-A1, 2021-A3, 2021-A6

WASC: Cross-Site Request Forgery, Cross-Site Scripting, Improper Input Handling, Insufficient Authorization, OS Commanding

CAPEC: 10, 101, 104, 108, 109, 110, 111, 120, 13, 135, 136, 14, 153, 17, 182, 209, 22, 23, 230, 231, 24, 242, 250, 261, 267, 28, 3, 31, 35, 42, 43, 45, 46, 462, 467, 47, 473, 52, 53, 58, 588, 591, 592, 62, 63, 64, 67, 69, 7, 71, 72, 73, 76, 77, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-000460, APSC-DV-000480, APSC-DV-002490, APSC-DV-002500, APSC-DV-002510, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i), 164.312(e)

ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.13.1.3, 27001-A.13.2.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-AC-4, sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-10(5)

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-4.2.2, 4.0.2-5.1.3, 4.0.2-5.2.5, 4.0.2-5.3.3

PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5, 3.2-6.5.1, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9