Login Sign Up

CVE-2024-34312

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

Virtual Programming Lab for Moodle up to version 4.2.3 contains a cross-site scripting (XSS) vulnerability in the vplide.js component. This allows attackers to inject malicious scripts into web pages viewed by users, potentially stealing session cookies or performing actions on behalf of authenticated users. Moodle administrators and users of affected Virtual Programming Lab installations are impacted.

💻 Affected Systems

Products:
  • Virtual Programming Lab for Moodle
Versions: Up to and including version 4.2.3
Operating Systems: All platforms running Moodle
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Virtual Programming Lab plugin to be installed and enabled in Moodle.

📦 What is this software?

Virtual Programming Lab by Moodle

View all CVEs affecting Virtual Programming Lab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain administrative access to Moodle, compromise student data, or deploy malware to users' browsers.

🟠

Likely Case

Attackers steal user session cookies to impersonate legitimate users, potentially accessing sensitive course materials or submitting malicious content.

🟢

If Mitigated

With proper input validation and output encoding, the attack surface is reduced, but the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction or social engineering to trigger the malicious payload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.2.4 or later

Vendor Advisory: https://github.com/vincentscode/CVE-2024-34312

Restart Required: No

Instructions:

1. Update Virtual Programming Lab plugin to version 4.2.4 or later. 2. Clear Moodle cache. 3. Verify the update in Moodle plugin administration.

🔧 Temporary Workarounds

Disable Virtual Programming Lab

all

Temporarily disable the vulnerable plugin until patching is possible.

Navigate to Moodle admin panel > Plugins > Manage plugins > Disable Virtual Programming Lab

Implement Content Security Policy

all

Add CSP headers to restrict script execution from untrusted sources.

Add 'Content-Security-Policy: script-src 'self'' to web server configuration

🧯 If You Can't Patch

  • Restrict access to Moodle instance using network segmentation or VPN
  • Implement web application firewall rules to block XSS payload patterns

🔍 How to Verify

Check if Vulnerable:

Check Virtual Programming Lab plugin version in Moodle administration panel under Plugins > Manage plugins.

Check Version:

Check Moodle admin panel or database table mdl_config_plugins for plugin version

Verify Fix Applied:

Verify plugin version is 4.2.4 or later and test XSS payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript payloads in HTTP requests
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing script tags or JavaScript in parameters

SIEM Query:

web.url:*vplide.js* AND (web.param:*<script* OR web.param:*javascript:* OR web.param:*onerror=*)

📊 Metadata

CVE ID: CVE-2024-34312
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: June 24, 2024
Last Updated: March 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34312, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)