Bug 2264098 (CVE-2024-25982) - CVE-2024-25982 MSA-24-0005: CSRF risk in Language import utility
Summary: CVE-2024-25982 MSA-24-0005: CSRF risk in Language import utility
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2024-25982
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2264910 2264911
Blocks: 2264073
TreeView+ depends on / blocked
 
Reported: 2024-02-13 21:39 UTC by Zack Miele
Modified: 2024-03-22 15:30 UTC (History)
1 user (show)

Fixed In Version: moodle 4.3.3, 4.2.6 and 4.1.9
Doc Type: ---
Doc Text:
The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.
Clone Of:
Environment:
Last Closed: 2024-03-22 15:30:28 UTC
Embargoed:

Attachments (Terms of Use)

Description Zack Miele 2024-02-13 21:39:32 UTC 
MSA-24-0005: CSRF risk in Language import utility

Description: The link to update all installed language packs did not
include the necessary token to prevent a CSRF risk.
Issue summary: CSRF risk in Language import utility
Severity/Risk: Minor
Versions affected: 4.3 to 4.3.2, 4.2 to 4.2.5, 4.1 to 4.1.8 and earlier
unsupported versions
Versions fixed: 4.3.3, 4.2.6 and 4.1.9
Reported by: Panagiotis Petasis
Issue no.: MDL-54749
CVE identifier: Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54749
Comment 1 Robb Gatica 2024-02-19 16:00:49 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 2264910]
Affects: fedora-all [bug 2264911]
Comment 2 Zack Miele 2024-03-22 15:30:26 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.