What is CVE-2021-43559?

CVE-2021-43559 is a high-severity vulnerability in Moodle, classified under Cross-Site Request Forgery (CSRF). CVSS score: 8.8/10. Published 2021-11-22.

How severe is CVE-2021-43559?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2021-43559 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

CSRF in Moodle

CVE-2021-43559

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.006 (44.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Moodle
Fedoraproject Extra_packages_for_enterprise_linux — versions 7.0
Fedoraproject Fedora — versions 35
N/a Moodle — versions moodle 3.11.4, moodle 3.10.8 and moodle 3.9.11

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

Public proof-of-concept exploits

jev770/badmoodle-scan

References

patrick@puiterwijk.org (Third Party Advisory, x_refsource_MISC, Issue Tracking)
patrick@puiterwijk.org (Patch, x_refsource_MISC, Vendor Advisory)

Frequently asked questions

What is CVE-2021-43559?: CVE-2021-43559 is a high-severity vulnerability in Moodle, classified under Cross-Site Request Forgery (CSRF). CVSS score: 8.8/10. Published 2021-11-22.
How severe is CVE-2021-43559?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2021-43559 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.