CVE-2023-35133
HIGHMoodle < 3.9.22, 4.0-4.0.8, 4.1-4.1.3, 4.2 - Server-Side Request Forgery via cURL Blocked Hosts Check Bypass
Title source: llmDescription
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
References (4)
Core 4
Core References
Patch, Vendor Advisory
https://moodle.org/mod/forum/discuss.php?d=447831
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2214373
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT/
Scores
CVSS v3
7.5
EPSS
0.0039
EPSS Percentile
60.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-918
Status
published
Products (3)
moodle/moodle
4.2.0
moodle/moodle
< 3.9.22
moodle/moodle
4.2.0 - 4.2.1Packagist
Published
Jun 22, 2023
Tracked Since
Feb 18, 2026