Multiple vulnerabilities in Moodle
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2024-34008 CVE-2024-34000 CVE-2024-34001 CVE-2024-34002 CVE-2024-34003 CVE-2024-34006 CVE-2024-34007 CVE-2024-33999 CVE-2024-33996 CVE-2024-33997 CVE-2024-33998 CVE-2024-34004 CVE-2024-34005 CVE-2024-34009 |
| CWE-ID | CWE-352 CWE-79 CWE-98 CWE-254 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Cross-site request forgery
EUVDB-ID: #VU89527
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34008
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in analytics management of models. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3- cpe:2.3:a:moodle_org:moodle:4.0.12:*:*:*:*:*:*:
- cpe:2.3:a:moodle_org:moodle:4.1.9:*:*:*:*:*:*:
- cpe:2.3:a:moodle_org:moodle:4.2.6:*:*:*:*:*:*:
- cpe:2.3:a:moodle_org:moodle:4.3.3:*:*:*:*:*:*:
http://moodle.org/mod/forum/discuss.php?d=458397
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81059
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stored cross-site scripting
EUVDB-ID: #VU89546
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34000
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in lesson overview report via user ID number. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458388
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81062
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site request forgery
EUVDB-ID: #VU89545
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34001
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in admin preset tool management of presets. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458389
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) PHP file inclusion
EUVDB-ID: #VU89544
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34002
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in some misconfigured shared hosting environments via modified mod_feedback backup. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458390
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81135
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) PHP file inclusion
EUVDB-ID: #VU89543
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34003
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in some misconfigured shared hosting environments via modified mod_workshop backup. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458391
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80712
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site scripting
EUVDB-ID: #VU89542
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34006
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in site log for config_log_created. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458395
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80585
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site request forgery
EUVDB-ID: #VU89541
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34007
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in admin/tool/mfa/auth.php. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.3.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458396
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80877
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security features bypass
EUVDB-ID: #VU89539
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-33999
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php. A remote attacker can bypass authentication.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.3.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458387
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80878
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper access control
EUVDB-ID: #VU89536
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-33996
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when setting calendar event type. A remote user can create events with types/audiences they are not have permission to publish to.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458384
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81247
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Stored cross-site scripting
EUVDB-ID: #VU89534
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-33997
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when editing another user's equation in equation editor. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458385
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81352
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Stored cross-site scripting
EUVDB-ID: #VU89533
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-33998
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within user's name on participants page when opening some options. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458386
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) PHP file inclusion
EUVDB-ID: #VU89532
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34004
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in some misconfigured shared hosting environments via modified mod_wiki backup. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458393
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81284
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) PHP file inclusion
EUVDB-ID: #VU89530
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34005
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in some misconfigured shared hosting environments via modified mod_data backup. A remote user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.0.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458394
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81267
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Improper access control
EUVDB-ID: #VU89528
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34009
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the ReCAPTCHA can be bypassed on the login page. A remote attacker can bypass the checks on the login page.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.3.0 - 4.3.3
CPE2.3http://moodle.org/mod/forum/discuss.php?d=458398
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-81463
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
