Cybersecurity specialists reported the detection of multiple security flaws at Moodle, a free and open-source learning management system (LMS) written in PHP and distributed under the GNU General Public License. According to the report, successful exploitation of these flaws would allow deploying multiple risk scenarios.

Below is a brief description of the reported flaws, in addition to their tracking keys and score assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-43558: The inadequate sanitization of user-supplied data in filetype admin tool would allow remote threat actors to trick the victim and make them follow a specially crafted link to run arbitrary HTML and script code in the victim’s browser.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-43560: An insecure direct object reference (IDOR) error would allow remote attackers to fetch other users’ calendar action events.

The vulnerability received a CVSS score of 5.7/10 and its successful exploitation may result in a privilege escalation attack.

CVE-2021-3943: The improper input validation when restoring malformed backup files would allow remote malicious hackers to send specially crafted requests, thus running arbitrary code on the affected system.

This is a high severity flaw and received a CVSS score of 8.5/10.

CVE-2021-43559: Incorrect validation of the HTTP request origin in the “delete related badge” functionality allows remote attackers to send a target user specially designed websites to run arbitrary actions on the affected system.

This is a low severity flaw and received a CVSS score of 5.3/10.

According to the report, these flaws reside in the following versions of Moodle: 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.0, 3.11.1, 3.11.2 & 3.11.3.

While flaws can be exploited by unauthenticated remote threat actors, so far no exploitation attempts have been detected in the wild. Still, cybersecurity specialists recommend apply the last updates as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 4 critical vulnerabilities in Moodle, an open-source learning platform/course management system (CMS) appeared first on Information Security Newspaper | Hacking News.


You May Also Like

Critical vulnerability in Linux distros would allow for full system compromise; update now

This Thursday morning it was announced the release of a security patch…

Google publishes zero-day vulnerability in Windows firewall and AppContainer affecting every version. Patch not available

Project Zero, Google’s cybersecurity unit, published research detailing its analysis of the…

Critical vulnerabilties in Open Design Alliance Drawings SDK affects 1,200 companies like Siemens, Microsoft, Bentley and Epic Games

Cybersecurity specialists reported the finding of multiple vulnerabilities in Drawings SDK, a…