Detections
Analytics

Moodle 4.4.x < 4.4.3 Multiple Vulnerabilities

high Web App Scanning Plugin ID 114712

Language:

Synopsis

Moodle 4.4.x < 4.4.3 Multiple Vulnerabilities

Description

According to its self-reported version, the Moodle install hosted on the remote host is 4.1.x prior to 4.1.13, 4.2.x prior to 4.2.10, 4.3.x prior to 4.3.7, or 4.4.x prior to 4.4.3. It is, therefore, affected by multiple vulnerabilities.

- A lesson activity password bypass through PHP loose comparison.

- An IDOR when deleting OAuth2 linked accounts.

- Unprotected access to sensitive information via dynamic tables.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Moodle version 4.4.3 or latest.

See Also

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76962

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82365

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82567

https://moodle.org/mod/forum/discuss.php?d=461894#p1854491

https://moodle.org/mod/forum/discuss.php?d=461895#p1854492

https://moodle.org/mod/forum/discuss.php?d=461897#p1854494

Plugin Details

Severity: High

ID: 114712

Type: remote

Published: 4/10/2025

Updated: 4/10/2025

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-45690

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: CVE-2024-45690

Vulnerability Information

CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/9/2024

Reference Information

CVE: CVE-2024-45689, CVE-2024-45690, CVE-2024-45691