CVE-2024-43434
📋 TL;DR
This CSRF vulnerability in Moodle's Feedback module allows attackers to trick authenticated users into unknowingly sending bulk messages to non-respondents. Any Moodle instance with the Feedback module enabled is affected, potentially impacting all users with appropriate permissions.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could send malicious bulk messages to all course participants, potentially spreading phishing links, malware, or inappropriate content while appearing to come from legitimate instructors.
Likely Case
Spam messages sent to course participants, potentially damaging institutional reputation and causing user confusion.
If Mitigated
With proper CSRF protections and user awareness, impact is limited to minor inconvenience if detected quickly.
🎯 Exploit Status
Requires authenticated user interaction but CSRF makes exploitation straightforward once malicious page is crafted
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 4.3.7, 4.2.10, 4.1.14, 4.0.18, 3.11.21
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=461203
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files or perform complete upgrade. 4. Clear Moodle caches. 5. Verify functionality.
🔧 Temporary Workarounds
Disable Feedback Module
allTemporarily disable the Feedback module if not essential
Navigate to Site administration > Plugins > Activity modules > Manage activities > Feedback > Eye icon to disable
Restrict Non-Respondents Report Access
allLimit access to users who absolutely need this functionality
Adjust role permissions in Site administration > Users > Permissions > Define roles
🧯 If You Can't Patch
- Implement additional CSRF protections at web application firewall level
- Monitor for unusual bulk message sending activity and alert on anomalies
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site administration > General > About Moodle. Compare against affected versions list.Check Version:
Check Moodle admin panel or examine version.php file in Moodle root directoryVerify Fix Applied:
After patching, verify version is updated and test bulk message sending functionality with proper CSRF token validation.📡 Detection & Monitoring
Log Indicators:
- Unusual bulk message sending patterns
- Multiple messages sent in quick succession from single user sessions
Network Indicators:
- POST requests to feedback/nonrespondents.php without proper referrer headers
SIEM Query:
Search for: event_source='moodle' AND event_name='message_sent' AND message_count>threshold AND session_duration<short_timeframe