4 critical vulnerabilities in Moodle, an open-source learning platform/course management system (CMS)

Cybersecurity specialists reported the detection of multiple security flaws at Moodle, a free and open-source learning management system (LMS) written in PHP and distributed under the GNU General Public License. According to the report, successful exploitation of these flaws would allow deploying multiple risk scenarios.

Below is a brief description of the reported flaws, in addition to their tracking keys and score assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-43558: The inadequate sanitization of user-supplied data in filetype admin tool would allow remote threat actors to trick the victim and make them follow a specially crafted link to run arbitrary HTML and script code in the victim’s browser.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-43560: An insecure direct object reference (IDOR) error would allow remote attackers to fetch other users’ calendar action events.

The vulnerability received a CVSS score of 5.7/10 and its successful exploitation may result in a privilege escalation attack.

CVE-2021-3943: The improper input validation when restoring malformed backup files would allow remote malicious hackers to send specially crafted requests, thus running arbitrary code on the affected system.

This is a high severity flaw and received a CVSS score of 8.5/10.

CVE-2021-43559: Incorrect validation of the HTTP request origin in the “delete related badge” functionality allows remote attackers to send a target user specially designed websites to run arbitrary actions on the affected system.

This is a low severity flaw and received a CVSS score of 5.3/10.

According to the report, these flaws reside in the following versions of Moodle: 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.0, 3.11.1, 3.11.2 & 3.11.3.

While flaws can be exploited by unauthenticated remote threat actors, so far no exploitation attempts have been detected in the wild. Still, cybersecurity specialists recommend apply the last updates as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.