CVE-2024-34007: Moodle Logout CSRF in admin/tool/mfa/auth.php
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71264%
CWE
Published
5/31/2024
Updated
6/4/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 4.3.0, < 4.3.4 | 4.3.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability explicitly concerns missing CSRF protection in MFA logout.
- Moodle's standard CSRF prevention uses require_sesskey() checks for state-changing actions.
- The affected file path admin/tool/mfa/auth.php indicates the logout handler resides here.
- While exact function names aren't provided, the logout functionality in this file would logically process logout requests without token validation before patching.