-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from missing CSRF token (sesskey) validation in key grading-related functions. The patches (436ef91, a57eacc, f977d37) explicitly added require_sesskey() calls to these functions in mod/assign/locallib.php, confirming they were previously unprotected. These functions handle teacher-specific actions (grading, extensions, settings) and would execute state-changing operations without verifying the request's authenticity, making them CSRF entry points.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 2.4.10 | 2.4.10 |
| moodle/moodle | composer | >= 2.5.0, < 2.5.6 | 2.5.6 |
| moodle/moodle | composer | >= 2.6.0, < 2.6.3 | 2.6.3 |