CVE-2024-38276: moodle: CSRF risks due to misuse of confirm_sesskey
First published: Tue Jun 18 2024(Updated: )
Incorrect CSRF token checks resulted in multiple CSRF risks.
Credit: patrick@puiterwijk.org patrick@puiterwijk.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | <4.1.11 | 4.1.11 |
| composer/moodle/moodle | >=4.2.0-beta<4.2.8 | 4.2.8 |
| composer/moodle/moodle | >=4.3.0-beta<4.3.5 | 4.3.5 |
| composer/moodle/moodle | >=4.4.0-beta<4.4.1 | 4.4.1 |
| Fedora | =39 | |
| Fedora | =40 | |
| Moodle | <4.1.10 | |
| Moodle | >=4.2.0<4.2.8 | |
| Moodle | >=4.3.0<4.3.5 | |
| Moodle | =4.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://moodle.org/mod/forum/discuss.php?d=459501
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/
- https://nvd.nist.gov/vuln/detail/CVE-2024-38276
- https://github.com/moodle/moodle/commit/f2807dee5bc777d9c58b7a70cba6e4c21ee02ea1
- https://github.com/moodle/moodle/commit/e23f603c41055ab92f9b430cf0e7a54b4e120f95
- https://github.com/moodle/moodle/commit/e1dab5f38166a2ff62983178f7bf8f0ed3a61090
- https://github.com/moodle/moodle/commit/dc84fcfab06a4a0fe37797b8422e9fe3a1031c3e
- https://github.com/moodle/moodle/commit/da8e8cee6ffaf7c184eded97e1016f20c9de0561
- https://github.com/moodle/moodle/commit/c5b1604e8136db6d72057dd8052955058489206c
- https://github.com/moodle/moodle/commit/c1aacb3e2884ea4dcc221c5ef2e449ce345f78ae
- https://github.com/moodle/moodle/commit/c18b59808cefe7b54c85dce6bf2cc71601080667
- https://github.com/moodle/moodle/commit/a0d8c025f732d5c18a2b9d1a8e5cbee35dce86f4
- https://github.com/moodle/moodle/commit/9af9711c0a78ebad87d49bcb369ff813bc57d0a7
- https://github.com/moodle/moodle/commit/756090ed79aa056d0b5f58e7a1dff67f139f76b4
- https://github.com/moodle/moodle/commit/57f20b6cb352893871c3afdfa8a4c09a96e16764
- https://github.com/moodle/moodle/commit/31ced0851189a6879e4cd27c7e65d21dd9d6e87e
- https://github.com/moodle/moodle/commit/30fadc3686fa7490860a0bd87a29636139dfb371
- https://github.com/moodle/moodle/commit/137d311fd1354c679b974633512a771e6e0559a1
- https://github.com/moodle/moodle/commit/093aedf79889114d004495f05969168b646b0285
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E
- https://github.com/advisories/GHSA-356g-7x36-7m34 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-38276?
CVE-2024-38276 has been classified with multiple CSRF risks due to incorrect CSRF token checks, indicating a moderate severity.
How do I fix CVE-2024-38276?
To remediate CVE-2024-38276, update Moodle to versions 4.1.11, 4.2.8, 4.3.5, or 4.4.1.
Which versions of Moodle are affected by CVE-2024-38276?
CVE-2024-38276 affects Moodle versions below 4.1.11, between 4.2.0 and 4.2.8, between 4.3.0 and 4.3.5, and version 4.4.0.
Does CVE-2024-38276 affect Fedora users?
Yes, CVE-2024-38276 affects Fedora users who are using vulnerable versions of Moodle.
What is the nature of the vulnerability in CVE-2024-38276?
CVE-2024-38276 involves incorrect checks for CSRF tokens, which can lead to multiple CSRF exploitation opportunities.
- agent/weakness
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-356g-7x36-7m34
- alias/CVE-2024-38276
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/severity
- collector/github-advisory
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/fedoraproject
- canonical/fedora
- version/fedora/39
- version/fedora/40
- vendor/moodle
- canonical/moodle
- version/moodle/4.2.0
- version/moodle/4.3.0
- version/moodle/4.4.0