CVE-2016-3734 — Moodle Cross-site request forgery (CSRF) vulnerability

Description

Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.

How to fix CVE-2016-3734

To remediate CVE-2016-3734, upgrade the affected package to a fixed version below.

—upgrade to 2.7.14 or later

Is CVE-2016-3734 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.7.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3734
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755
WEBbugzilla.redhat.com/show_bug.cgi?id=1335933
WEB