CVE-2021-43559
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Moodle's badge deletion functionality. Attackers can trick authenticated users into unknowingly deleting badges by crafting malicious requests. All Moodle instances running affected versions are vulnerable if users with badge deletion permissions visit malicious sites.
💻 Affected Systems
- Moodle
📦 What is this software?
Extra Packages For Enterprise Linux by Fedoraproject
View all CVEs affecting Extra Packages For Enterprise Linux →
Fedora by Fedoraproject
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete all badges from the Moodle instance, disrupting the gamification/reward system and potentially causing data loss that affects user motivation and achievement tracking.
Likely Case
Targeted deletion of specific badges, potentially removing important recognition markers or disrupting course completion requirements.
If Mitigated
With proper CSRF protections and user awareness training, exploitation risk is minimal as users would need to be tricked into visiting malicious sites while authenticated.
🎯 Exploit Status
CSRF attacks are well-understood and easy to implement. Exploitation requires the victim to be authenticated and have badge deletion permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 3.11.4, 3.10.8, 3.9.11
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=429099
Restart Required: No
Instructions:
1. Backup your Moodle instance. 2. Upgrade to Moodle 3.11.4, 3.10.8, or 3.9.11 depending on your current version. 3. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Temporary CSRF Protection
allImplement additional CSRF token validation for badge deletion endpoints
Not applicable - requires code modification
Restrict Badge Deletion Permissions
allTemporarily remove badge deletion capabilities from non-essential users
Navigate to Site administration > Users > Permissions > Define roles > Edit role > Uncheck 'moodle/badges:deletebadge'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attacks targeting badge deletion endpoints
- Educate users with badge deletion permissions about CSRF risks and safe browsing practices
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site administration > Notifications page. If version is between affected ranges, you are vulnerable.Check Version:
Check Moodle version via Site administration > Notifications or examine version.php fileVerify Fix Applied:
After patching, verify version shows 3.11.4, 3.10.8, or 3.9.11 in Site administration > Notifications.📡 Detection & Monitoring
Log Indicators:
- Multiple badge deletion events from same user in short timeframe
- Badge deletion requests without referrer headers or with suspicious referrers
Network Indicators:
- HTTP POST requests to badge deletion endpoints without CSRF tokens
- Requests from unexpected referrer domains
SIEM Query:
source="moodle_logs" AND (event="badge_deleted" AND count>5 within 5min) OR (http_method="POST" AND uri="/badges/delete.php" AND NOT csrf_token=*)