CERT-In Warns of 4 High-Risk Flaws in MoodleXSS Vulnerability Is the Most Severe; Fixes Issued in New Versions
Learning management platform Moodle, which caters to about 300 million users in 241 countries, is vulnerable to multiple high-risk flaws, according to a security advisory issued by the Indian Computer Emergency Response Team, or CERT-In.
A remote attacker could trick end users into visiting a specially crafted webpage and exploit the vulnerabilities to perform actions on behalf of the user on the targeted website. A successful exploit could allow the attacker to escalate privileges, perform cross-site scripting attacks, execute codes and carry out cross-site request forgery attacks on the target's computer, the CERT-In advisory notes.
None of the four vulnerabilities in the free open-source platform have been exploited yet, according to the National Vulnerability Database. Moodle's security log notes that the vulnerabilities have been fixed in versions 3.11.4, 3.10.8 and 3.9.11.
A critical cross-site scripting or XSS vulnerability, tracked as CVE-2021-43558, is the most severe, the advisory says. It has not been assigned a CVSS score yet, as investigation is still underway. The flaw could allow a remote attacker to steal potentially sensitive information, change the appearance of a web page and perform phishing and drive-by download attacks, the advisory adds.
An XSS attack is carried out by threat actors using a web application to send malicious code in the form of a browser-side script to an end user, according to the Open Web Application Security Project.
Since the end user's browser sees the malicious script coming from a trusted source, it allows the script to access cookies, session tokens and other sensitive information contained in the browser, says vulnerability intelligence firm Cybersecurity Help. The firm says that XSS attacks are considered high-risk because they could allow threat actors to hijack a victim’s session and completely take over their account.
This vulnerability, discovered by Red Hat Brazil product engineer Guilherme Almeida Suckevicz, was found in Moodle versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10, as well as earlier unsupported versions.
Among the other three Moodle vulnerabilities identified, CVE-2021-43560 can enable attackers to fetch other users' calendar action events due to insufficient capability checks, CVE-2021-3943 can create remote code execution risk when restoring backup files, and CVE-2021-43559 is a cross-site request forgery vulnerability. Of the three flaws, CVE-2021-3943 has been assigned a CVSS score of 9.8, while the other two are still being analyzed, according to MITRE data.
Moodle's Track Record
The learning platform's security log shows that in September 2021, a vulnerability tracked as CVE-2021-40695 allowed students to view their test grades before release. In the same month, a type-juggling vulnerability posed a serious authentication bypass risk, while another vulnerability created a session hijack risk, the security log shows.
In July, a separate vulnerability made it possible for attackers to blindly bypass URL-blocked hosts due to insufficient redirect handling. The same month, pentesting firm Haxolot found a remote code execution vulnerability in the logout feature of Moodle's authentication module.