Cleartext Transmission of Sensitive Information

CVE-2024-43432

Medium

6.9/10

Summary

A flaw was found in moodle. The cURL wrapper in Moodle strips "HTTPAUTH" and "USERPWD" headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. This issue affects moodle/moodle versions prior to 4.1.12, 4.2.x prior to 4.2.9, 4.3.x prior to 4.3.6, and 4.4.x prior to 4.4.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-319 - Cleartext Transmission of Sensitive Information

The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References

Advisory
Advisory
Issue

Advisory Timeline

Published Nov 11, 2024

Cleartext Transmission of Sensitive Information

CVE-2024-43432

Summary

CWE-319 - Cleartext Transmission of Sensitive Information

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS