CVE-2024-43434

The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2304262	Permissions Required
https://moodle.org/mod/forum/discuss.php?d=461203	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

History

01 May 2025, 16:03

Type	Values Removed	Values Added
First Time		Moodle Moodle moodle
CPE		cpe:2.3:a:moodle:moodle::::::::
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2304262 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2304262 - Permissions Required
References	~~() https://moodle.org/mod/forum/discuss.php?d=461203 -~~	() https://moodle.org/mod/forum/discuss.php?d=461203 - Vendor Advisory

Information

Published : 2024-11-07 14:15

Updated : 2025-05-01 16:03

NVD link : CVE-2024-43434

Mitre link : CVE-2024-43434

CVE.ORG link : CVE-2024-43434

JSON object : View

Products Affected

moodle

moodle

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-43434", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-11-07T14:15:16.067", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304262", "tags": ["Permissions Required"], "source": "patrick@puiterwijk.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=461203", "tags": ["Vendor Advisory"], "source": "patrick@puiterwijk.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability."}, {"lang": "es", "value": "La funci\u00f3n de env\u00edo masivo de mensajes en el informe de no respuestas del m\u00f3dulo de comentarios de Moodle ten\u00eda una verificaci\u00f3n de token CSRF incorrecta, lo que generaba una vulnerabilidad CSRF."}], "lastModified": "2025-05-01T16:03:08.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5532931-0BD7-4522-9641-F0455BB030D8", "versionEndExcluding": "4.1.12"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8D123FB-556C-4602-91CB-ABE6541079F3", "versionEndExcluding": "4.2.9", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBA8C381-9493-42BD-A5EA-7AADFAB68C5E", "versionEndExcluding": "4.3.6", "versionStartIncluding": "4.3.0"}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "277E1058-2F00-45DB-8BFC-2628CCC89981", "versionEndExcluding": "4.4.2", "versionStartIncluding": "4.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}