CVE-2024-43437: Moodle Cross-site Scripting vulnerability
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44091%
CWE
Published
11/11/2024
Updated
11/12/2024
KEV Status
No
Technology
PHP
PHPTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | >= 4.4.0, < 4.4.2 | 4.4.2 |
| moodle/moodle | composer | >= 4.3.0, < 4.3.6 | 4.3.6 |
| moodle/moodle | composer | >= 4.2.0, < 4.2.9 | 4.2.9 |
| moodle/moodle | composer | < 4.1.12 | 4.1.12 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from improper sanitization during backup restoration. The commit MDL-81394 explicitly addresses formatting backup metadata safely, indicating functions handling backup metadata display were vulnerable. Moodle's restore_controller and UI renderers are central to processing and displaying backup details. Without proper escaping in these components, XSS could occur. While the exact code changes are unavailable, the commit message and security advisory strongly implicate these areas. Confidence is medium due to reliance on contextual clues rather than direct code analysis.