3.1 CVE-2025-3637

Patch
 

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
https://nvd.nist.gov/vuln/detail/CVE-2025-3637

Categories

CWE-598 : Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) When sensitive information is sent, use the POST method (e.g. registration form). A discussion platform leaks private information in GET requests.

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* < 4.3.12
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* >= 4.4.0 < 4.4.8
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* >= 4.5.0 < 4.5.4

REMEDIATION

Patch

Url
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65356

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry