CVE-2024-43438
📋 TL;DR
This vulnerability allows authenticated users with bulk messaging permissions to send messages to users who should not be visible in activity non-respondent reports. It affects Moodle installations where the Feedback module is enabled and users have appropriate permissions.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could send unsolicited messages to users who should be hidden from reports, potentially enabling harassment, phishing, or data exfiltration attempts.
Likely Case
Accidental or intentional misuse of bulk messaging to contact users who should not be visible in reports, violating privacy expectations.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with only authorized users having bulk messaging permissions.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 4.3.8, 4.4.2, and later versions
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=461208
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Update to Moodle 4.3.8 or 4.4.2 (or later). 3. Apply the patch from the Moodle git repository if manual patching is needed. 4. Clear Moodle caches after update.
🔧 Temporary Workarounds
Disable bulk messaging permissions
allTemporarily remove 'mod/feedback:messageanyuser' and related messaging permissions from user roles
Navigate to Site administration > Users > Permissions > Define roles > Edit role > Uncheck messaging permissions
Disable Feedback module
allCompletely disable the Feedback module if not required
Navigate to Site administration > Plugins > Activity modules > Manage activities > Disable Feedback
🧯 If You Can't Patch
- Review and restrict user roles with 'mod/feedback:messageanyuser' permission to trusted administrators only
- Implement monitoring for unusual bulk messaging activity through Moodle logs
🔍 How to Verify
Check if Vulnerable:
Check Moodle version in Site administration > Notifications page. If version is between 4.3.0-4.3.7 or 4.4.0-4.4.1 with Feedback module enabled, you are vulnerable.Check Version:
Check Moodle version via web interface or examine version.php file in Moodle root directoryVerify Fix Applied:
After updating, verify version shows 4.3.8+, 4.4.2+, or later. Test bulk messaging in Feedback non-respondent reports to confirm proper recipient validation.📡 Detection & Monitoring
Log Indicators:
- Unusual bulk messaging activity in Moodle logs
- Messages sent to users not in expected recipient lists
Network Indicators:
- Increased outbound messaging traffic from Moodle server
SIEM Query:
source="moodle_logs" AND (event="message_sent" OR event="bulk_message") AND recipient_count > threshold