CSRF Token Vulnerability in Moodle by Moodle
CVE-2019-10186

6.5MEDIUM

Key Information:

Vendor

The Moodle Project

Status
Moodle
Vendor
CVE Published:
31 July 2019

What is CVE-2019-10186?

A security flaw was identified in Moodle's handling of the XML loading and unloading admin tool. Specifically, prior to version 3.7.1, the application did not properly utilize a sesskey (CSRF) token, potentially allowing an attacker to perform unauthorized actions by exploiting this oversight. This could lead to various security risks, as it bypasses vital security mechanisms designed to protect against CSRF attacks. It is crucial for users to update their Moodle installations to the latest versions to mitigate this vulnerability.

Affected Version(s)

moodle 3.7.1

moodle 3.6.5

moodle 3.5.7

References

http://www.securityfocus.com/bid/109175
vdb-entryx_refsource_BID
https://moodle.org/mod/forum/discuss.php?d=388567#p1566329
x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10186
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.