Miggo Logo

CVE-2024-38276: Moodle CSRF risks due to misuse of confirm_sesskey

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.36335%
Published
6/18/2024
Updated
8/4/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 4.4.0-beta, < 4.4.14.4.1
moodle/moodlecomposer>= 4.3.0-beta, < 4.3.54.3.5
moodle/moodlecomposer>= 4.2.0-beta, < 4.2.84.2.8
moodle/moodlecomposer< 4.1.114.1.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper CSRF token validation using confirm_sesskey() instead of require_sesskey(). The key differences are:

  1. confirm_sesskey() only throws an exception if sesskey is invalid but doesn't inherently stop execution
  2. require_sesskey() immediately terminates the request if validation fails
  3. Multiple patches (index.php, options.php) explicitly replace confirm_sesskey with require_sesskey in security-sensitive flows
  4. The CVE description explicitly cites 'misuse of confirm_sesskey' as the root cause
  5. Additional commits in related files (mod/assign/locallib.php) show similar patterns of hardening sesskey checks

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In*orr**t *SR* tok*n ****ks r*sult** in multipl* *SR* risks.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *SR* tok*n v*li**tion usin* *on*irm_s*ssk*y() inst*** o* r*quir*_s*ssk*y(). T** k*y *i***r*n**s *r*: *. *on*irm_s*ssk*y() only t*rows *n *x**ption i* s*ssk*y is inv*li* *ut *o*sn't in**r*ntly stop *x**ution *. r*