CVE-2019-6970 — Moodle SSRF Vulnerability

Description

The `edit_blog.php` script allows a registered user to add external RSS feed resources. It was identified that this feature could be abused to be used as a SSRF attack vector by adding a malicious URL/TCP PORT in order to target internal network or an internet hosted server, bypassing firewall rules, IP filtering and more. This kind of vulnerability is then called “blind” because of no response available on Moodle web site, enforcing attacker to exploit it using a “time based” approach.

How to fix CVE-2019-6970

To remediate CVE-2019-6970, upgrade the affected package to a fixed version below.

—upgrade to 3.5.4 or later

Is CVE-2019-6970 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.5.0, < 3.5.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-6970
PATCHgithub.com/moodle/moodle
WEBcds.thalesgroup.com/en/tcs-cert/CVE-2019-6970
WEBexcellium-services.com/cert-xlm-advisory/cve-2019-6970
WEB