CVE-2021-43559 — Cross-Site Request Forgery in Moodle

CWE-352 — Cross-Site Request Forgery4 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 71.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Extra Packages FOR Enterprise Linux Fedoraproject Fedora

Timeline

PublishedNov 22

Latest updateMay 24

Description

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDmoodle/moodle3.9.0 — 3.9.11+3

▶Packagistmoodle/moodle3.11 — 3.11.4+2

▶CVEListV5moodle/moodlemoodle 3.11.4, moodle 3.10.8 and moodle 3.9.11

▶NVDfedoraproject/extra_packages7.0

Also affects: Fedora 35

Patches

Patch: moodle.org ↗Patch: moodle.org ↗

🔴Vulnerability Details

GHSA

Moodle contains CSRF vulnerability↗2022-05-24

▶

OSV

Moodle contains CSRF vulnerability↗2022-05-24

▶

OSV

CVE-2021-43559: A flaw was found in Moodle in versions 3↗2021-11-22

▶