-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| moodle/moodle | composer | < 4.1.18 | 4.3.12 |
| moodle/moodle | composer | >= 4.3.0-beta, < 4.3.12 | 4.3.12 |
| moodle/moodle | composer | >= 4.4.0-beta, < 4.4.8 | 4.4.8 |
| moodle/moodle | composer | >= 4.5.0-beta, < 4.5.4 | 4.5.4 |
Miggo AIRoot Cause AnalysisThe primary vulnerability is the exposure of the CSRF token (sesskey) in GET parameters. I analyzed the provided commit 052007b7324ef24aebe36a876ffa4fa97fac4f81.
mod/data/classes/template.php: The function mod_data_template::get_tag_actionsmenu_replacement was identified as the source of the vulnerability. The patch explicitly shows the removal of sesskey() from the parameters of $editurl and $deleteurl. This means this function was previously constructing URLs that included the sesskey as a GET parameter, directly causing the information leak.
mod/data/edit.php: This script had a require_sesskey() call removed from an early check conditional on $rid (record ID). This implies that the edit page previously might have relied on or validated a sesskey passed via GET when an edit operation was initiated. While this script is an endpoint affected by the leaked token, the function causing the leak is in template.php. The change here is a mitigation to no longer expect/require the sesskey from GET at that stage.
mod/data/view.php: This script, which handles actions like delete and approve, had confirm_sesskey() calls removed from the initial if conditions for these actions. require_sesskey() was then added after a confirmation step (implying it should come from a POST). This indicates that view.php was previously checking the sesskey from GET parameters for these actions. Similar to edit.php, this script was an endpoint affected by the leak, and the changes mitigate the reliance on GET-passed tokens for initial authorization.
While edit.php and view.php were the pages where these vulnerable URLs would be used, and their logic was changed to handle sesskey more securely, the function that created the vulnerable URLs by embedding the sesskey in GET parameters is mod_data_template::get_tag_actionsmenu_replacement. This function is the most direct source of the vulnerability as described ('pass CSRF token in GET parameter'). The changes in edit.php and view.php are primarily about how they consume/validate the sesskey and are reactive fixes to the leak originating from template.php. Since the request is for 'exactFunctionNameWithNamespace' and the changes in edit.php and view.php are in the global script scope rather than within specific named functions in the patch, mod_data_template::get_tag_actionsmenu_replacement is the most fitting and clearly identifiable vulnerable function based on the evidence.
PHPPHPOngoing coverage of React2Shell