Mateo Hanžek

**Name of the Vulnerable Software and Affected Versions** Moodle versions 3.9 to 3.9.21 Moodle versions 3.11 to 3.11.14 Moodle versions 4.0 to 4.0.8 Moodle versions 4.1 to 4.1.3 Moodle version 4.2 **Description** The issue is related to the logic used to check 0.0.0.0 against the cURL blocked hosts lists, resulting in a Server-Side Request Forgery (SSRF) risk. This allows an attacker to send a specially crafted HTTP request, forcing the application to initiate requests to arbitrary systems. Exploitation of this issue may enable a remote attacker to access confidential data located in the local network or send malicious requests to other servers from the vulnerable system. **Recommendations** For Moodle version 4.2, update to a version that includes the fix for this issue. For Moodle versions 4.1 to 4.1.3, update to a version that includes the fix for this issue. For Moodle versions 4.0 to 4.0.8, update to a version that includes the fix for this issue. For Moodle versions 3.11 to 3.11.14, update to a version that includes the fix for this issue. For Moodle versions 3.9 to 3.9.21, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the cURL functionality until a patch is available.