CVE-2024-43439
📋 TL;DR
This vulnerability in Moodle allows attackers to inject malicious scripts into H5P error messages, which are then reflected back to users. It affects Moodle instances with H5P content enabled, potentially compromising user sessions or stealing credentials. The risk primarily impacts users who view manipulated H5P content.
💻 Affected Systems
- Moodle
📦 What is this software?
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the Moodle site, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers steal user session cookies or credentials through crafted H5P content, enabling unauthorized access to user accounts and potentially escalating privileges.
If Mitigated
With proper input validation and output encoding, the attack fails, resulting in no impact beyond error message display.
🎯 Exploit Status
Exploitation requires user interaction (viewing malicious H5P content). The vulnerability is in error message handling, making exploitation straightforward once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Moodle 4.3.8, 4.4.2
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=461209
Restart Required: No
Instructions:
1. Backup your Moodle installation and database. 2. Download the patched version from moodle.org. 3. Replace affected files with patched versions. 4. Clear Moodle caches. 5. Verify functionality of H5P content.
🔧 Temporary Workarounds
Disable H5P content
allTemporarily disable H5P interactive content to eliminate the attack vector.
Navigate to Site administration > Plugins > Activity modules > H5P and disable it
Implement WAF rules
allConfigure web application firewall to block reflected XSS patterns in H5P error parameters.
Add WAF rule: Detect and block scripts in H5P error parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Enable XSS filters in web server configuration and monitor for suspicious H5P error parameter patterns.
🔍 How to Verify
Check if Vulnerable:
Check Moodle version via Site administration > General > Notifications. If version is 4.3.x < 4.3.8 or 4.4.x < 4.4.2 and H5P is enabled, system is vulnerable.Check Version:
php admin/cli/check_database_schema.php (shows version in output) or check version.php fileVerify Fix Applied:
After patching, verify version shows 4.3.8 or 4.4.2+. Test H5P error messages by triggering errors and checking that script tags are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual H5P error messages containing script tags or JavaScript code
- Multiple failed H5P content loads with suspicious parameters
Network Indicators:
- HTTP requests to H5P endpoints with script payloads in parameters
- Unexpected redirects from H5P error pages
SIEM Query:
source="moodle_logs" AND (message="*H5P*error*" AND (message="*<script>*" OR message="*javascript:*"))