Miggo Logo

CVE-2021-3943:
Moodle vulnerable to RCE via unsafe deserialization

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.77952%
Published
11/23/2021
Updated
7/11/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.11, <= 3.11.33.11.4
moodle/moodlecomposer>= 3.10, <= 3.10.73.10.8
moodle/moodlecomposer>= 3.9, <= 3.9.103.9.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe use of PHP's native unserialize() on user-controlled backup data (configdata). The commit diff shows multiple instances where unserialize(base64_decode(...)) was replaced with a safer unserialize_object() wrapper. The affected functions directly deserialize backup content without proper validation, enabling malicious object injection. Key files showing this pattern include restore_stepslib.php (core backup handling) and several block implementations (HTML, RSS client) that process serialized configdata.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Moo*l* in v*rsions *.** to *.**.*, *.** to *.**.*, *.* to *.*.** *n* **rli*r unsupport** v*rsions. * r*mot* *o** *x**ution risk w**n r*storin* ***kup *il*s w*s i**nti*i**.

Reasoning

T** vuln*r**ility st*ms *rom uns*** us* o* P*P's n*tiv* uns*ri*liz*() on us*r-*ontroll** ***kup **t* (*on*i***t*). T** *ommit *i** s*ows multipl* inst*n**s w**r* uns*ri*liz*(**s***_***o**(...)) w*s r*pl**** wit* * s***r uns*ri*liz*_o*j**t() wr*pp*r.