CVE-2024-25982 — Cross-Site Request Forgery in Moodle

Severity

8.8HIGHNVD

CNA4.3

EPSS

0.4%

top 40.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedFeb 19

Description

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

▶NVDmoodle/moodle4.1.0 — 4.1.9+2

▶Packagistmoodle/moodle4.3.0 — 4.3.3+2

Also affects: Fedora 38

OSV

CVE-2024-25982: The link to update all installed language packs did not include the necessary token to prevent a CSRF risk↗2024-02-19

▶

OSV

Cross-Site Request Forgery in moodle↗2024-02-19

▶

CVEList

Msa-24-0005: csrf risk in language import utility↗2024-02-19

▶

GHSA

Cross-Site Request Forgery in moodle↗2024-02-19

▶