CVE-2022-45149 — Cross-Site Request Forgery in Moodle

CWE-352 — Cross-Site Request Forgery4 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 46.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Fedoraproject Fedora

Timeline

PublishedNov 23

Description

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDmoodle/moodle3.9.0 — 3.9.18+2

▶Packagistmoodle/moodle3.9.0 — 3.9.18+2

▶CVEListV5moodle/moodleFixed in moodle 4.0.5, moodle 3.11.11, moodle 3.9.18

Also affects: Fedora 35, 36, 37

🔴Vulnerability Details

GHSA

Cross-Site Request Forgery in Moodle↗2022-11-23

▶

OSV

CVE-2022-45149: A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL↗2022-11-23

▶

OSV

Cross-Site Request Forgery in Moodle↗2022-11-23

▶