Primary

Context

Moodle Multi-Factor Authentication Vulnerability Leading to User Denial-of-Service and Name Disclosure

Vulnerability

Patched

A vulnerability in Moodle's Multi-Factor Authentication (MFA) email factor can be exploited to revoke a user's only available second authentication factor. This flaw, caused by a missing check in the MFA email factor's revoke action, can prevent users from logging in, even after completing two-factor authentication. Additionally, the vulnerability allows for the disclosure of the user's name through an Insecure Direct Object Reference (IDOR) exploitation. The issue affects Moodle versions 4.5 prior to 4.5.4, 4.4 prior to 4.4.8, and 4.3 prior to 4.3.12.

Impact

Exploitation of this vulnerability causes a denial-of-service condition for users by disrupting their login process, despite having completed two-factor authentication. It also leads to unauthorized disclosure of user names.

Remediation

Users can upgrade to Moodle versions 4.5.4, 4.4.8, or 4.3.12 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

3.1

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

3.1

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Moodle Multi-Factor Authentication Vulnerability Leading to User Denial-of-Service and Name Disclosure

Vulnerability

Impact

Remediation

Affected Products

Moodle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating