CVE-2021-43559 — Moodle contains CSRF vulnerability

Description

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

How to fix CVE-2021-43559

To remediate CVE-2021-43559, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 3.8.9 or later
—upgrade to 3.11.4 or later

Is CVE-2021-43559 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.8.9, >= 3.9.0, < 3.9.11, >= 3.10.0, < 3.10.8, >= 3.11.0, < 3.11.4
>= 3.11, < 3.11.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43559
WEBbugzilla.redhat.com/show_bug.cgi?id=2021517
WEBgithub.com/moodle/moodle/commit/20d41ebae4eb28269298504c68db511a05ec4969
WEBmoodle.org/mod/forum/discuss.php?d=429099