Can you explain this vulnerability to me?

This vulnerability occurs because the router in Moodle versions 5.0 to 5.0.2 responds differently to invalid course IDs by returning JSON data instead of a standard 404 error. This inconsistent response allows attackers to determine which course IDs exist, facilitating user enumeration or reconnaissance attacks. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can impact you by enabling attackers to identify valid course IDs on your Moodle system. This information can be used for reconnaissance purposes, potentially aiding further targeted attacks or unauthorized information gathering. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending requests to the Moodle router with various course IDs and observing the responses. Specifically, querying invalid or non-existent course IDs will return JSON data instead of a standard 404 error if the system is vulnerable. A simple detection command could be using curl to request a course ID that is known to be invalid and checking the response content. For example: curl -i https://your-moodle-site/course/view.php?id=INVALID_ID. If the response returns JSON data rather than a 404 error page, the system is vulnerable. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Moodle to version 5.0.3 or later, where this vulnerability has been fixed. Until the upgrade can be applied, consider restricting access to the affected endpoints or implementing additional request filtering to prevent reconnaissance attempts. [1]

Useful 0 Not Useful 0