Miggo Logo
Miggo Vulnerability Database
CVE-2024-43434

CVE-2024-43434: Moodle has CSRF risk in Feedback non-respondents report

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-43434
GHSA ID
GHSA-x87r-37q5-mmr8
EPSS Score
0.35793%
CWE
CWE-22
Published
11/7/2024
Updated
11/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 4.1.124.1.12
moodle/moodlecomposer>= 4.2.0-beta, < 4.2.94.2.9
moodle/moodlecomposer>= 4.3.0-beta, < 4.3.64.3.6
moodle/moodlecomposer>= 4.4.0-beta, < 4.4.24.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on the Feedback module's non-respondents report bulk messaging feature. Moodle's standard CSRF protection requires validating tokens via require_sesskey() or form tokens. The advisory explicitly states the check was incorrect in this flow. The most logical location for this vulnerability is in the bulk action processor for non-respondents, which would handle message sending. While exact code isn't provided, Moodle's module structure and security patterns strongly suggest the processor class responsible for bulk actions in the non-respondents report is where the missing/invalid token check occurred.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ulk m*ss*** s*n*in* ***tur* in Moo*l*'s *******k mo*ul*'s non-r*spon**nts r*port *** *n in*orr**t *SR* tok*n ****k, l***in* to * *SR* vuln*r**ility.

Reasoning

T** vuln*r**ility **nt*rs on t** *******k mo*ul*'s non-r*spon**nts r*port *ulk m*ss**in* ***tur*. Moo*l*'s st*n**r* *SR* prot**tion r*quir*s v*li**tin* tok*ns vi* r*quir*_s*ssk*y() or *orm tok*ns. T** **visory *xpli*itly st*t*s t** ****k w*s in*orr**