A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| moodle/moodle(Packagist) | 3.9 | 3.9.18 | N/A |
| moodle/moodle(Packagist) | 3.11 | 3.11.11 | N/A |
| moodle/moodle(Packagist) | 4.0 | 4.0.5 | N/A |
CVSS Metrics
