CVE-2022-45149

Description

A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.

• How can I get the fixes?
• What do statuses mean?

Severity score breakdown

CVSS version: CVSS v3.0

References

• MITRE
• NVD
• Launchpad
• Debian

Other references

• https://moodle.org/mod/forum/discuss.php?d=440769
• https://bugzilla.redhat.com/show_bug.cgi?id=2142772
• http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75862
• https://www.cve.org/CVERecord?id=CVE-2022-45149