Unintentionally Sending HTTP Authorization Header Information Through Redirects
CVE-2024-38275

Currently unrated

Key Information:

Vendor: Moodle
Status: Moodle
Vendor: CVE Published:; 18 June 2024

Summary

The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Affected Version(s)

Moodle 4.4

Moodle 4.3 <= 4.3.4

Moodle 4.2 <= 4.2.7

References

https://moodle.org/mod/forum/discuss.php?d=459500

Timeline

Vulnerability published
Jun 18, 2024
Vulnerability Reserved
Jun 12, 2024