Moodle 4.3.x < 4.3.4 Multiple Vulnerabilities

critical Web App Scanning Plugin ID 114725

Language:

Synopsis

Moodle 4.3.x < 4.3.4 Multiple Vulnerabilities

Description

According to its self-reported version, the Moodle install hosted on the remote host is 4.3.x prior to 4.3.4. It is, therefore, affected by multiple vulnerabilities.

- Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilised.

- The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

- The referrer URL used by MFA required additional sanitizing, rather than being used directly.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Moodle version 4.3.4 or latest.

See Also

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80878

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463

https://moodle.org/mod/forum/discuss.php?d=458387#p1840913

https://moodle.org/mod/forum/discuss.php?d=458396#p1840923

https://moodle.org/mod/forum/discuss.php?d=458398#p1840925

Plugin Details

Severity: Critical

ID: 114725

Type: remote

Family: Component Vulnerability

Published: 4/10/2025

Updated: 4/10/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2024-34007

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2024-33999

Vulnerability Information

CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/30/2024

Reference Information

CVE: CVE-2024-33999, CVE-2024-34007, CVE-2024-34009

CWE: 20, 352

OWASP: 2010-A4, 2010-A5, 2013-A4, 2013-A8, 2013-A9, 2017-A5, 2017-A9, 2021-A1, 2021-A3, 2021-A6

WASC: Cross-Site Request Forgery, Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 111, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 462, 467, 47, 473, 52, 53, 588, 62, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002500, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.12.6.1, 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-10(5)

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-4.2.2, 4.0.2-5.1.3

PCI-DSS: 3.2-6.2, 3.2-6.5, 3.2-6.5.9