Moodle 4.1.x < 4.1.11 Multiple Vulnerabilities

high Web App Scanning Plugin ID 114692

Language:

Synopsis

Moodle 4.1.x < 4.1.11 Multiple Vulnerabilities

Description

According to its self-reported version, the Moodle install hosted on the remote host is prior to 4.1.11, 4.2.x prior to 4.2.8, or 4.3.x prior to 4.3.5 or 4.4.x prior to 4.4.1. It is, therefore, affected by multiple vulnerabilities.

- A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.

- Incorrect CSRF token checks resulted in multiple CSRF risks.

- The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

- Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt.

- Insufficient capability checks meant it was possible for users to gain access to BigBlueButton join URLs they did not have permission to access.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Moodle version 4.1.11 or latest.

See Also

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80959

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81412

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81774

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81778

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81890

https://moodle.org/mod/forum/discuss.php?d=459498#p1845278

https://moodle.org/mod/forum/discuss.php?d=459499#p1845279

https://moodle.org/mod/forum/discuss.php?d=459500#p1845280

https://moodle.org/mod/forum/discuss.php?d=459501#p1845281

https://moodle.org/mod/forum/discuss.php?d=459502#p1845282

Plugin Details

Severity: High

ID: 114692

Type: remote

Family: Component Vulnerability

Published: 4/10/2025

Updated: 4/10/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-38276

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2024-38276

Vulnerability Information

CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/17/2024

Reference Information

CVE: CVE-2024-38273, CVE-2024-38274, CVE-2024-38275, CVE-2024-38276, CVE-2024-38277

CWE: 226, 284, 324, 326, 352, 79

OWASP: 2010-A2, 2010-A5, 2010-A6, 2010-A7, 2010-A8, 2010-A9, 2013-A3, 2013-A5, 2013-A6, 2013-A7, 2013-A8, 2013-A9, 2017-A3, 2017-A5, 2017-A6, 2017-A7, 2017-A9, 2021-A1, 2021-A2, 2021-A3, 2021-A6

WASC: Application Misconfiguration, Cross-Site Request Forgery, Cross-Site Scripting, Information Leakage, Insufficient Authorization, Insufficient Transport Layer Protection

CAPEC: 102, 111, 112, 117, 19, 192, 20, 209, 37, 383, 441, 462, 467, 477, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578, 588, 591, 592, 62, 63, 65, 85

DISA STIG: APSC-DV-000170, APSC-DV-000460, APSC-DV-002440, APSC-DV-002490, APSC-DV-002500, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a), 164.312(a)(1), 164.312(a)(2)(i), 164.312(e)

ISO: 27001-A.10.1.1, 27001-A.10.1.2, 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.18.1.5, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SC-12, sp800_53-SC-13, sp800_53-SI-10, sp800_53-SI-10(5), sp800_53-SI-15

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1, 4.0.2-4.2.2, 4.0.2-5.3.3, 4.0.2-8.3.6, 4.0.2-9.1.1, 4.0.2-9.1.2

PCI-DSS: 3.2-6.2, 3.2-6.5.3, 3.2-6.5.4, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9