CVE-2023-35133

Name of the Vulnerable Software and Affected Versions Moodle versions 3.9 to 3.9.21 Moodle versions 3.11 to 3.11.14 Moodle versions 4.0 to 4.0.8 Moodle versions 4.1 to 4.1.3 Moodle version 4.2

Description The issue is related to the logic used to check 0.0.0.0 against the cURL blocked hosts lists, resulting in a Server-Side Request Forgery (SSRF) risk. This allows an attacker to send a specially crafted HTTP request, forcing the application to initiate requests to arbitrary systems. Exploitation of this issue may enable a remote attacker to access confidential data located in the local network or send malicious requests to other servers from the vulnerable system.

Recommendations For Moodle version 4.2, update to a version that includes the fix for this issue. For Moodle versions 4.1 to 4.1.3, update to a version that includes the fix for this issue. For Moodle versions 4.0 to 4.0.8, update to a version that includes the fix for this issue. For Moodle versions 3.11 to 3.11.14, update to a version that includes the fix for this issue. For Moodle versions 3.9 to 3.9.21, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the cURL functionality until a patch is available.