CVE-2018-16854

EPSS 1.74%
Published 26.11.2018 17:29:00
Last modified 21.11.2024 03:53:27
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

Affected products Warnungen 0 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Moodle ≫ Moodle Version <= 3.0.10

Moodle ≫ Moodle Version >= 3.1.0 < 3.1.15

Moodle ≫ Moodle Version >= 3.3.0 < 3.3.9

Moodle ≫ Moodle Version >= 3.4.0 < 3.4.6

Moodle ≫ Moodle Version >= 3.5.0 < 3.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.74%	0.819

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
secalert@redhat.com	6.5	3.9	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63183

Patch

Vendor Advisory

http://www.securityfocus.com/bid/106017

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1042154

Third Party Advisory

VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16854

Patch

Third Party Advisory