CVE-2022-45149 in Moodle
Summary
by MITRE • 11/23/2022
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website. This flaw allows an attacker to perform cross-site request forgery attacks.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/06/2025
This vulnerability resides in the Moodle learning management system and represents a critical cross-site request forgery weakness that stems from inadequate HTTP request origin validation during course redirection processes. The flaw manifests when Moodle includes a user's CSRF token within the URL parameters during course restoration redirects, creating an exploitable condition where malicious actors can craft deceptive web pages to manipulate victims into executing unauthorized actions. The vulnerability specifically affects the course restoration functionality where the system unnecessarily incorporates security tokens directly into the redirect URL rather than maintaining them within HTTP headers or session storage mechanisms.
The technical implementation of this vulnerability follows established patterns described in CWE-352, which categorizes cross-site request forgery flaws as weaknesses in web applications that allow attackers to perform actions on behalf of authenticated users without their knowledge or consent. The flaw operates by exploiting the improper handling of state information during HTTP redirects, where the CSRF protection mechanism fails to properly validate the origin of requests. When users navigate to restored courses, their security tokens become embedded in the URL, making them susceptible to exploitation through social engineering attacks or malicious web page construction.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to perform arbitrary actions within the Moodle environment with the privileges of the targeted user. This includes but is not limited to course modifications, content alterations, user management operations, and potential privilege escalation depending on the user's role within the system. The attack vector requires minimal technical sophistication, as the malicious actor only needs to craft a web page that triggers the vulnerable redirect mechanism when a victim visits the page, making this vulnerability particularly dangerous in environments where users frequently browse untrusted websites.
Mitigation strategies should focus on implementing proper CSRF token validation mechanisms that do not rely on URL parameters for security state management. The recommended approach involves removing CSRF tokens from URLs and instead utilizing HTTP headers or secure session storage methods to maintain token integrity. Additionally, implementing strict HTTP referer header validation and enforcing origin checks during redirect operations can significantly reduce the attack surface. Organizations should also consider implementing Content Security Policy headers and ensuring proper input validation of all redirect URLs to prevent malicious redirection attempts. This vulnerability aligns with ATT&CK technique T1566, which covers social engineering attacks through malicious web content, and demonstrates how insufficient validation of HTTP request origins can create exploitable conditions for privilege escalation attacks.