====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN388
_____________________________________________________________________

DATE                : 20/11/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.6,
                                 3.5.3, 3.4.6, 3.3.9, 3.1.15.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=378731#p1527068
_____________________________________________________________________

MSA-18-0020: Login CSRF vulnerability in login form
Michael Hawkins
Monday, 19 November 2018, 3:21 PM


The login form is not protected by a token to prevent login cross-site
request
forgery.


Severity/Risk:           Serious
Versions affected:       3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1
                         to 3.1.14 and earlier unsupported versions
Versions fixed:          3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15
Reported by:             Daniel Thatcher
CVE identifier:          CVE-2018-16854

Changes (master):
http://git.moodle.org/gw-p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63183

Tracker issue:           MDL-63183 Login CSRF vulnerability in login
                         form

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================