CVE-2024-43432

Published: Nov 11, 2024Modified: May 1, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Affected (4)

Products: Moodle: Moodle

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Moodle Moodle	Before 4.1.12
Moodle Moodle	From 4.2.0 to 4.2.9
Moodle Moodle	From 4.3.0 to 4.3.6
Moodle Moodle	From 4.4.0 to 4.4.2

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=2304260

Source: patrick@puiterwijk.org

Permissions Required

https://moodle.org/mod/forum/discuss.php?d=461200

Source: patrick@puiterwijk.org

Vendor Advisory

Timeline

No history available yet.