The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
2024-06-18T20:15:13.970
2025-04-30T23:35:59.790
Analyzed
CVSSv3.1: 7.5 (HIGH)
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | moodle | moodle | < 4.1.11 | Yes |
Application | moodle | moodle | < 4.2.8 | Yes |
Application | moodle | moodle | < 4.3.5 | Yes |
Application | moodle | moodle | 4.4.0 | Yes |