Moodle Mod_Data Module Cross-Site Request Forgery Token Exposure Vulnerability

A vulnerability in Moodle's mod_data module was identified, where sensitive information preventing cross-site request forgery (CSRF) attacks was inadvertently exposed through the site's URL. This issue specifically affected the edit and delete pages within the mod_data module. The vulnerability allowed a user's CSRF token to be included in the URL, creating a potential risk for CSRF attacks.

Impact

Exposing CSRF tokens in URLs can lead to cross-site request forgery attacks, where an attacker could potentially perform actions on behalf of a user without their consent.

Reproduction

To reproduce this vulnerability, navigate to the edit or delete pages of the mod_data module in Moodle versions 4.5 prior to 4.5.3, 4.4 prior to 4.4.7, 4.3 prior to 4.3.11, and 4.1 prior to 4.1.17. The CSRF token will be visible in the URL, demonstrating the exposure of sensitive information that could be exploited in a CSRF attack.

Remediation

Users can upgrade to Moodle versions 4.5.4, 4.4.8, 4.3.12, or 4.1.18, where this vulnerability has been fixed.