CVE-2024-34006
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Moodle's site log report where HTML content in event descriptions isn't properly encoded. This allows attackers to inject malicious scripts that execute in users' browsers when viewing logs. Affects Moodle administrators and users with log viewing permissions.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attacker could execute arbitrary JavaScript in administrator's browser, potentially stealing session cookies, performing actions as the administrator, or redirecting to malicious sites.
Likely Case
Limited XSS affecting only users with log viewing permissions, potentially allowing session hijacking or limited account compromise.
If Mitigated
No impact if proper input validation and output encoding are implemented.
🎯 Exploit Status
Exploitation requires ability to inject content into logs (may require certain permissions) and victim to view the logs. Not trivial but feasible for determined attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references, but Moodle security updates typically address such issues.
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=458395
Restart Required: No
Instructions:
1. Check Moodle security announcements. 2. Apply latest Moodle security update. 3. Verify the fix by checking if HTML in log descriptions is now properly encoded.
🔧 Temporary Workarounds
Restrict log access
allLimit access to site log reports to only essential administrators.
Navigate to Site administration > Users > Permissions > Define roles > Edit role capabilities > Restrict 'report/log:view' capability
Manual output encoding
allImplement custom output encoding for log display if patching isn't immediately possible.
Modify log display templates to apply htmlspecialchars() or equivalent encoding to event descriptions
🧯 If You Can't Patch
- Restrict access to site log reports to minimal trusted administrators only
- Implement web application firewall rules to detect and block XSS payloads in log content
🔍 How to Verify
Check if Vulnerable:
Test by creating a log entry containing HTML tags like <script>alert('test')</script> and check if they execute when viewing logs.Check Version:
Check Moodle version via Site administration > Notifications page or by examining version.php fileVerify Fix Applied:
After patching, test with same HTML content - it should display as plain text rather than executing.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/JavaScript content in log entries
- Multiple log entries with similar suspicious content
Network Indicators:
- Unexpected outbound connections from admin workstations after viewing logs
SIEM Query:
Search for log entries containing script tags or JavaScript patterns in Moodle logs