Описание
Moodle's mod_data edit/delete pages pass CSRF token in GET parameter
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-3637
- https://github.com/moodle/moodle/commit/052007b7324ef24aebe36a876ffa4fa97fac4f81
- https://access.redhat.com/security/cve/CVE-2025-3637
- https://bugzilla.redhat.com/show_bug.cgi?id=2359727
- https://moodle.org/mod/forum/discuss.php?d=467599
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356
Пакеты
moodle/moodle
< 4.1.18
4.3.12
moodle/moodle
>= 4.3.0-beta, < 4.3.12
4.3.12
moodle/moodle
>= 4.4.0-beta, < 4.4.8
4.4.8
moodle/moodle
>= 4.5.0-beta, < 4.5.4
4.5.4
Связанные уязвимости
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
A security vulnerability was found in Moodle where confidential inform ...
Уязвимость модуля mod_data виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
