With over 416 million registered Moodle users from 218 countries, the vulnerabilities posed a threat to universities, schools, and students worldwide

Alexey Solovyov, an expert at Positive Technologies, has discovered critical vulnerabilities in Moodle, one of the most widely used learning management systems (LMS). This open-source solution is used for both remote and in-person learning in schools and universities, as well as in online courses and corporate training programs. Moodle is the leading LMS for higher education in most regions, with a market share of 73% in Latin America, 69% in Europe, 56% in Oceania and Australia, and 16% in North America. The vendor was informed of the threat in accordance with the responsible disclosure policy and has already released a security update.

"If attackers managed to exploit these vulnerabilities, they could potentially halt the educational process, distort information displayed to students, gain access to databases, or execute arbitrary code on the server. The system is used by tens of thousands of educational institutions and some of the world's largest companies, so it's crucial to remediate the vulnerabilities as quickly as possible," said Alexey Solovyov, Senior Web Application Security Analyst at Positive Technologies.

The vulnerabilities CVE-2024-33997 and CVE-2024-33998 have both received a CVSS v3 score of 6.8. They fall under the category of Cross-Site Scripting (XSS), allowing attackers to execute arbitrary JavaScript code in the victim's browser. By exploiting the discovered vulnerabilities, an attacker with minimal privileges could inject arbitrary code and save it on the server. The attacker could then trick the Moodle administrator into executing the injected code, leading to a complete system compromise.

According to the expert, the reason for the emergence of this and many other vulnerabilities is insufficient data sanitization¹ or a complete lack of it.

The vulnerabilities affect Moodle versions 4.1–4.1.9, 4.2–4.2.6, 4.3–4.3.3 and earlier. They have been fixed in versions 4.1.10, 4.2.7, and 4.3.4. To address these security flaws, we recommend installing the latest software update and regularly checking for updates.

Such vulnerabilities can be detected at the product development stage with the help of a statistical code analysis tool such as PT Application Inspector. To detect known vulnerabilities in your IT infrastructure, use MaxPatrol VM. Web application firewalls, such as PT Application Firewall and its cloud-based version PT Cloud Application Firewall, offer robust defense against exploitation of vulnerabilities. To reduce the risk of remote code execution (RCE) at endpoints, including servers, endpoint detection and response (EDR) security solutions like MaxPatrol EDR can be used. Once malicious activity is detected, MaxPatrol EDR sends an alert to MaxPatrol SIEM and stops attackers in their tracks.

1. Data sanitization involves conversion of string input data into an output form that is safe for use (with methods such as HtmlEncode, UrlEncode, or addslashes).