CVE-2024-43435
📋 TL;DR
This vulnerability in Moodle allows users with course-level glossary restoration permissions to improperly restore glossaries into the global site glossary. This affects Moodle administrators and users with glossary restoration capabilities in courses. The flaw bypasses intended access controls for the global glossary.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could inject inappropriate or malicious content into the global glossary visible to all site users, potentially spreading misinformation or offensive material across the entire platform.
Likely Case
Accidental or unauthorized glossary entries appearing in the global glossary, causing confusion or minor content pollution that requires administrative cleanup.
If Mitigated
Limited impact with proper user permission reviews and monitoring, where only trusted users have glossary restoration capabilities.
🎯 Exploit Status
Exploitation requires authenticated access with specific course-level permissions. The vulnerability is straightforward to exploit once the required permissions are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version that fixes this
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=461205
Restart Required: No
Instructions:
1. Update Moodle to the patched version. 2. Review and apply the security patch for your specific Moodle version. 3. Verify the fix by testing glossary restoration functionality.
🔧 Temporary Workarounds
Temporary permission restriction
allTemporarily remove or restrict glossary restoration capabilities from users who don't absolutely need them.
Navigate to Site administration > Users > Permissions > Define roles > Edit role capabilities > Search for 'restore' and 'glossary' capabilities
🧯 If You Can't Patch
- Review and restrict user roles with glossary restoration capabilities to only essential personnel
- Implement monitoring for global glossary changes and establish approval workflows for glossary entries
🔍 How to Verify
Check if Vulnerable:
Check if users with course-level glossary restoration permissions can restore glossaries to the global site glossary. Test with a non-admin user having these permissions.Check Version:
Check Moodle version via Site administration > Notifications page or by examining version.php fileVerify Fix Applied:
After patching, attempt to restore a glossary to the global site glossary with a user having only course-level permissions - this should now be prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual glossary restoration activities, especially multiple restoration attempts or restorations by non-admin users
Network Indicators:
- HTTP POST requests to glossary restoration endpoints from non-admin user accounts
SIEM Query:
Example SIEM/detection query if applicable