Skip to main content

Cross-Site Request Forgery (CSRF)

CVE-2022-45149

Severity Medium
Score 5.4/10

Summary

A vulnerability was found in Moodle versions prior to 3.9.18, 3.11.x prior to 3.11.11, and 4.0.x prior to 4.0.5 which exists due to insufficient validation of the HTTP request origin in the course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform Cross-Site Request Forgery attacks.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • REQUIRED
  • NONE
  • LOW
  • NONE

CWE-352 - Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a vulnerability that allows an attacker to make arbitrary requests in an authenticated vulnerable web application and disrupt the integrity of the victim’s session. The impact of a successful CSRF attack may range from minor to severe, depending upon the capabilities exposed by the vulnerable application and privileges of the user. An attacker may force the user to perform state-changing requests like transferring funds, changing their email address or password etc. However, if an administrative level account is affected, it may compromise the whole web application and associated sensitive data.

Advisory Timeline

  • Published