In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a users IP, in order to bypass remote address checks.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Moodle | Moodle | 3.5.0 (including) | 3.5.11 (excluding) |
Moodle | Moodle | 3.6.0 (including) | 3.6.9 (excluding) |
Moodle | Moodle | 3.7.0 (including) | 3.7.5 (excluding) |
Moodle | Moodle | 3.8.0 (including) | 3.8.2 (excluding) |
Moodle | Ubuntu | bionic | * |
Moodle | Ubuntu | trusty | * |
Moodle | Ubuntu | xenial | * |