CVE-2022-0335
📋 TL;DR
This Cross-Site Request Forgery (CSRF) vulnerability in Moodle allows attackers to trick authenticated users into unknowingly deleting badge alignments. Attackers can craft malicious requests that execute when users visit compromised pages while logged into Moodle. All Moodle instances running affected versions are vulnerable if users with badge management permissions access malicious content.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete all badge alignments across the platform, disrupting credential verification and badge systems, potentially requiring manual restoration from backups.
Likely Case
Targeted deletion of specific badge alignments to undermine credential verification or disrupt specific courses/programs.
If Mitigated
With proper CSRF protections and user awareness, exploitation requires sophisticated social engineering and would be limited in scope.
🎯 Exploit Status
Exploitation requires the victim to be authenticated with badge management permissions and to visit a malicious page while logged into Moodle.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 3.11.5, 3.10.9, 3.9.12, and later versions
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=431103
Restart Required: No
Instructions:
1. Backup your Moodle instance and database. 2. Upgrade to Moodle 3.11.5, 3.10.9, or 3.9.12 depending on your current version. 3. Apply the patch via Moodle's update mechanism or manual installation. 4. Clear Moodle caches after upgrade.
🔧 Temporary Workarounds
Implement CSRF Protection Headers
allAdd Content Security Policy headers to restrict cross-origin requests
Add to web server config: add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval';"
Add to Moodle config.php: $CFG->cspheader = true;
Restrict Badge Alignment Permissions
allTemporarily limit which roles can manage badge alignments
Navigate to Site administration > Users > Permissions > Define roles
Edit relevant roles to remove 'moodle/badges:managealignments' capability
🧯 If You Can't Patch
- Implement web application firewall rules to block suspicious badge alignment deletion requests
- Educate users about CSRF risks and safe browsing practices, especially for administrative staff
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site administration > Notifications page or run: php admin/cli/check_database_schema.phpCheck Version:
grep \$release /path/to/moodle/version.php | head -1Verify Fix Applied:
Verify version is 3.11.5+, 3.10.9+, or 3.9.12+ and test badge alignment deletion functionality with CSRF testing tools📡 Detection & Monitoring
Log Indicators:
- Multiple badge alignment deletion requests from same user in short timeframe
- DELETE requests to /badges/alignments.php without referrer headers
Network Indicators:
- HTTP POST requests to badge alignment endpoints with suspicious referrers
- Cross-origin requests to Moodle badge management endpoints
SIEM Query:
source="moodle_logs" action="deleted" object="badge_alignment" | stats count by user, src_ip