Miggo Logo

CVE-2016-2157: Moodle cross-site request forgery (CSRF) vulnerability

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.37233%
Published
5/13/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.7.132.7.13
moodle/moodlecomposer>= 2.8.0, < 2.8.112.8.11
moodle/moodlecomposer>= 2.9.0, < 2.9.52.9.5
moodle/moodlecomposer>= 3.0.0, < 3.0.33.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lack of a session token check in mod/assign/adminmanageplugins.php before processing user-supplied parameters ('plugin' and 'action'). The original code retrieved these parameters via optional_param() and passed them directly to assign_plugin_manager->execute(). The absence of require_sesskey() allowed attackers to forge requests that administrators might unintentionally execute. The patch explicitly adds require_sesskey() when the 'plugin' parameter is present, confirming the vulnerability resided in the unvalidated parameter handling leading to the execute() call.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in mo*/*ssi*n/**minm*n***plu*ins.p*p in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to *ij**k t** *ut**nti**tion o

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* * s*ssion tok*n ****k in mo*/*ssi*n/**minm*n***plu*ins.p*p ***or* pro**ssin* us*r-suppli** p*r*m*t*rs ('plu*in' *n* '**tion'). T** ori*in*l *o** r*tri*v** t**s* p*r*m*t*rs vi* option*l_p*r*m() *n* p*ss** t**m