CVE-2022-0335 in Moodle
Summary
by MITRE • 01/25/2022
A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The "delete badge alignment" functionality did not include the necessary token check to prevent a CSRF risk.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/29/2022
This vulnerability exists within the Moodle learning management system where improper validation mechanisms allow for cross-site request forgery attacks to be executed against users. The flaw specifically affects Moodle versions ranging from 3.11.0 through 3.11.4, 3.10.0 through 3.10.8, 3.9.0 through 3.9.11, and earlier unsupported releases. The core issue stems from the delete badge alignment functionality lacking proper token validation checks that would normally prevent unauthorized actions from being executed on behalf of authenticated users.
The technical implementation of this vulnerability enables attackers to craft malicious requests that, when executed by authenticated users, could result in unintended deletion of badge alignment configurations within the Moodle system. Without the required token verification, the application cannot distinguish between legitimate user-initiated requests and those crafted by an attacker. This weakness falls under the category of CWE-352 Cross-Site Request Forgery as identified in the Common Weakness Enumeration catalog, which specifically addresses vulnerabilities where applications fail to validate that requests originate from legitimate sources rather than malicious actors.
The operational impact of this vulnerability extends beyond simple data loss, as badge alignments in Moodle often represent important educational credentials and recognition systems that users and administrators rely upon. Attackers could potentially exploit this flaw to disrupt educational workflows, remove important recognition elements, or create confusion within the learning management environment. The risk is particularly elevated when users are logged into Moodle sessions that have not timed out, as the malicious requests could be automatically executed without additional user interaction.
Organizations using affected Moodle versions should immediately implement mitigations including updating to patched versions where available, implementing additional CSRF protection measures at the network level, and educating users about the risks of visiting untrusted websites while logged into Moodle systems. The vulnerability demonstrates the critical importance of maintaining proper validation controls for all administrative functions within web applications, aligning with ATT&CK technique T1190 for exploitation of vulnerabilities in web applications. System administrators should also consider implementing web application firewalls and monitoring for suspicious deletion patterns in their Moodle environments to detect potential exploitation attempts.