vulnerability
Moodle: Server-Side Request Forgery (SSRF) (CVE-2023-35133)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Jun 22, 2023 | Jul 4, 2023 | May 7, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Jun 22, 2023
Added
Jul 4, 2023
Modified
May 7, 2026
Description
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
Solution
moodle-upgrade-latest
References
- CVE-2023-35133
- https://attackerkb.com/topics/CVE-2023-35133
- https://bugzilla.redhat.com/show_bug.cgi?id=2214373
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT/
- https://moodle.org/mod/forum/discuss.php?d=447831
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-1920
- CWE-918
- EUVD-EUVD-2023-1920
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.