vulnerability

Moodle: Cleartext Transmission of Sensitive Information (CVE-2024-43432)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	Nov 11, 2024	May 5, 2025	May 7, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Nov 11, 2024

Added

May 5, 2025

Modified

May 7, 2026

Description

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Solution

moodle-upgrade-latest

References

CVE-2024-43432
https://attackerkb.com/topics/CVE-2024-43432
https://bugzilla.redhat.com/show_bug.cgi?id=2304260
https://moodle.org/mod/forum/discuss.php?d=461200
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-3215
CWE-319
EUVD-EUVD-2024-3215

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report