Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-xqcf-vgqc-pcmg

Опубликовано: 25 нояб. 2022
Источник: github
Github: Прошло ревью
CVSS3: 9.1

Описание

Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

Ссылки

Пакеты

Наименование

moodle/moodle

composer
Затронутые версииВерсия исправления

>= 3.9, < 3.9.18

3.9.18

Наименование

moodle/moodle

composer
Затронутые версииВерсия исправления

>= 3.11, < 3.11.11

3.11.11

Наименование

moodle/moodle

composer
Затронутые версииВерсия исправления

>= 4.0, < 4.0.5

4.0.5

EPSS

Процентиль: 50%
0.00268
Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2022-45152

Дефекты

CWE-918

Связанные уязвимости

ubuntu логотип

CVE-2022-45152

CVSS3: 9.1
ubuntu
больше 2 лет назад

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

nvd логотип

CVE-2022-45152

CVSS3: 9.1
nvd
больше 2 лет назад

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

debian логотип

CVE-2022-45152

CVSS3: 9.1
debian
больше 2 лет назад

A blind Server-Side Request Forgery (SSRF) vulnerability was found in ...

fstec логотип

BDU:2022-07408

CVSS3: 9.1
fstec
больше 2 лет назад

Уязвимость системы управления курсами Moodle, связанная с недостаточной проверкой введенных пользователем данных в библиотеке поставщика LTI, позволяющая нарушителю выполнять SSRF-атаки

redos логотип

ROS-20221222-03

CVSS3: 9.1
redos
больше 2 лет назад

Множественные уязвимости moodle

EPSS

Процентиль: 50%
0.00268
Низкий

9.1 Critical

CVSS3

CVE ID

CVE-2022-45152

Дефекты

CWE-918