CVE-2018-16854

MEDIUM

Moodle <3.6 - CSRF

Title source: llm

Description

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

Exploits (1)

nomisec WORKING POC 7 stars

by danielthatcher · poc

https://github.com/danielthatcher/moodle-login-csrf

View Code ZIP pw:eip

References (5)

[Patch, Vendor Advisory] http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63183

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/106017

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1042154

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16854

[Vendor Advisory] https://moodle.org/mod/forum/discuss.php?d=378731

Scores

CVSS v3 6.5

EPSS 0.0118

EPSS Percentile 78.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-352

Status published

Products (2)

moodle/moodle < 3.0.10

moodle/moodle 3.1 - 3.1.15Packagist

Published Nov 26, 2018

Tracked Since Feb 18, 2026