Detections
Analytics
Moodle 3.9.x < 3.9.11 Multiple Vulnerabilities
critical Web App Scanning Plugin ID 113613
Language:
Synopsis
Moodle 3.9.x < 3.9.11 Multiple VulnerabilitiesDescription
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.11, 3.10.x prior to 3.10.8 or 3.11.x prior to 3.11.4. It is, therefore, affected by multiple vulnerabilities:- A Remote Code Execution when restoring malformed backup files. (CVE-2021-3943)
- A vulnerable version of mlbackend python library included in Moodle.
- A Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization in or an URL parameter in the filetype site administrator tool. (CVE-2021-43558)
- A Cross-Site Request Forgery (CSRF) vulnerability due to the lack of token check in the 'delete related badge' functionality. (CVE-2021-43559)
- An Insecure Direct Object Reference (IDOR) vulnerability allowing users to fetch other users calendar action events. (CVE-2021-43560)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.
Solution
Upgrade to version 3.9.11 or later.See Also
https://moodle.org/mod/forum/discuss.php?d=429095#p1726798
https://moodle.org/mod/forum/discuss.php?d=429096#p1726799
https://moodle.org/mod/forum/discuss.php?d=429097#p1726802
Plugin Details
Severity: Critical
ID: 113613
Type: remote
Family: Component Vulnerability
Published: 2/20/2023
Updated: 3/14/2023
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2021-3943
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2021-3943
Vulnerability Information
CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Exploit Ease: No known exploits are available
Patch Publication Date: 11/15/2021
Vulnerability Publication Date: 11/15/2021
Reference Information
CVE: CVE-2021-3943, CVE-2021-43558, CVE-2021-43559, CVE-2021-43560
CWE: 20, 264, 352, 668, 79, 863, 94
OWASP: 2010-A1, 2010-A2, 2010-A4, 2010-A5, 2010-A8, 2013-A1, 2013-A3, 2013-A4, 2013-A7, 2013-A8, 2013-A9, 2017-A1, 2017-A5, 2017-A7, 2017-A9, 2021-A1, 2021-A3, 2021-A6
WASC: Cross-Site Request Forgery, Cross-Site Scripting, Improper Input Handling, Insufficient Authorization, OS Commanding
CAPEC: 10, 101, 104, 108, 109, 110, 111, 120, 13, 135, 136, 14, 153, 17, 182, 209, 22, 23, 230, 231, 24, 242, 250, 261, 267, 28, 3, 31, 35, 42, 43, 45, 46, 462, 467, 47, 473, 52, 53, 58, 588, 591, 592, 62, 63, 64, 67, 69, 7, 71, 72, 73, 76, 77, 78, 79, 8, 80, 81, 83, 85, 88, 9
DISA STIG: APSC-DV-000460, APSC-DV-000480, APSC-DV-002490, APSC-DV-002500, APSC-DV-002510, APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i), 164.312(e)
ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.13.1.3, 27001-A.13.2.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-AC-4, sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-10(5)
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-4.2.2, 4.0.2-5.1.3, 4.0.2-5.2.5, 4.0.2-5.3.3
PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5, 3.2-6.5.1, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9