#VU16009 Cross-site request forgery in Moodle - CVE-2018-16854
Published: November 21, 2018 / Updated: November 22, 2018
Vulnerability identifier: #VU16009
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-16854
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Moodle
Moodle
Software vendor:
moodle.org
moodle.org
Description
The vulnerability allows a remote authenticated attacker to perform CSRF attack.
The weakness exists in the web-based management interface due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
The weakness exists in the web-based management interface due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
Remediation
The vulnerability has been fixed in the versions 3.6, 3.5.3, 3.4.6, 3.3.9, 3.1.15.