Improper Input Validation Affecting moodle/moodle package, versions >=4.3.0, <4.3.4


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-MOODLEMOODLE-7175994
  • published2 Jun 2024
  • disclosed31 May 2024
  • creditPetr Skoda

Introduced: 31 May 2024

CVE-2024-33999  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade moodle/moodle to version 4.3.4 or higher.

Overview

moodle/moodle is a learning platform.

Affected versions of this package are vulnerable to Improper Input Validation due to the direct use of the $_SERVER['HTTP_REFERER'] in the MFA setup process. An attacker can manipulate the referrer URL to bypass security checks or redirect users to malicious sites by crafting a deceptive link that appears legitimate.

CVSS Scores

version 3.1