Totara LMS up to 18.7 User Selector cross-site request forgery

Summaryinfo

A vulnerability has been found in Totara LMS up to 18.7 and classified as problematic. This impacts an unknown function of the component User Selector. Performing a manipulation results in cross-site request forgery. This vulnerability is cataloged as CVE-2024-3932. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic has been found in Totara LMS up to 18.7 (Learning Management Software). This affects an unknown part of the component User Selector. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. CWE is classifying the issue as CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This is going to have an impact on integrity.

The advisory is shared at totara.community. This vulnerability is uniquely identified as CVE-2024-3932. The exploitability is told to be difficult. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but a public exploit is available.

It is declared as proof-of-concept.

Upgrading to version 13.46, 14.38, 15.33, 16.27, 17.21 or 18.8 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Learning Management Software

Vendor

• Totara

Name

• LMS

Version

• 13.0
• 13.1
• 13.2
• 13.3
• 13.4
• 13.5
• 13.6
• 13.7
• 13.8
• 13.9
• 13.10
• 13.11
• 13.12
• 13.13
• 13.14
• 13.15
• 13.16
• 13.17
• 13.18
• 13.19
• 13.20
• 13.21
• 13.22
• 13.23
• 13.24
• 13.25
• 13.26
• 13.27
• 13.28
• 13.29
• 13.30
• 13.31
• 13.32
• 13.33
• 13.34
• 13.35
• 13.36
• 13.37
• 13.38
• 13.39
• 13.40
• 13.41
• 13.42
• 13.43
• 13.44
• 13.45
• 14.0
• 14.1
• 14.2
• 14.3
• 14.4
• 14.5
• 14.6
• 14.7
• 14.8
• 14.9
• 14.10
• 14.11
• 14.12
• 14.13
• 14.14
• 14.15
• 14.16
• 14.17
• 14.18
• 14.19
• 14.20
• 14.21
• 14.22
• 14.23
• 14.24
• 14.25
• 14.26
• 14.27
• 14.28
• 14.29
• 14.30
• 14.31
• 14.32
• 14.33
• 14.34
• 14.35
• 14.36
• 14.37
• 15.0
• 15.1
• 15.2
• 15.3
• 15.4
• 15.5
• 15.6
• 15.7
• 15.8
• 15.9
• 15.10
• 15.11
• 15.12
• 15.13
• 15.14
• 15.15
• 15.16
• 15.17
• 15.18
• 15.19
• 15.20
• 15.21
• 15.22
• 15.23
• 15.24
• 15.25
• 15.26
• 15.27
• 15.28
• 15.29
• 15.30
• 15.31
• 15.32
• 16.0
• 16.1
• 16.2
• 16.3
• 16.4
• 16.5
• 16.6
• 16.7
• 16.8
• 16.9
• 16.10
• 16.11
• 16.12
• 16.13
• 16.14
• 16.15
• 16.16
• 16.17
• 16.18
• 16.19
• 16.20
• 16.21
• 16.22
• 16.23
• 16.24
• 16.25
• 16.26
• 17.0
• 17.1
• 17.2
• 17.3
• 17.4
• 17.5
• 17.6
• 17.7
• 17.8
• 17.9
• 17.10
• 17.11
• 17.12
• 17.13
• 17.14
• 17.15
• 17.16
• 17.17
• 17.18
• 17.19
• 17.20
• 18.0
• 18.1
• 18.2
• 18.3
• 18.4
• 18.5
• 18.6
• 18.7

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Submitinfo

Accepted

• Submit #314381: Totara Totara LMS Totara 18.0.1 (Build: 20231128.01) Privileges Scalation

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion